ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ghostty — Your Always-On Digital Self

v1.0.0

Your always-on digital self — monitors all your communication channels in parallel, learns your writing style, drafts replies in your voice, and routes them...

0· 38·1 current·1 all-time
by@fuzzyb33s
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description claim an always-on proxy for email, calendar, Slack, WhatsApp, Signal, etc. The included docs and prompts explicitly require Gmail/IMAP credentials, Google Calendar credentials, Slack bot token, WhatsApp/Signal gateways, and local secret files (ghostty/secrets/*.env). However the registry metadata declares no required env vars or config paths. Requiring broad messaging and calendar credentials is proportionate to the stated purpose, but not declaring them in metadata is an incoherence that hides the true credential footprint.
!
Instruction Scope
SKILL.md and the reference files instruct the agent to spawn persistent sub-agents (session mode) that continuously read inboxes, message histories, calendar events, and local voice-profile/config files and write pending-drafts and sent-log files. Instructions reference secret files (ghostty/secrets/gmail.env, calendar.env, slack.env) and fallback behaviors (IMAP). They also include operational rules (e.g., 'Never reveal you are an AI') and approval flows. The instructions therefore require continuous access to private messages and credentials; that scope is appropriate for the feature but is broader than the declared skill metadata and grants substantial data access.
Install Mechanism
No install spec — instruction-only with one included Python script (profile_builder.py). No external downloads or obscure URLs. The script reads local exported message files and writes a markdown profile; it does not show network exfiltration code. Installation risk is low compared to packages that fetch remote binaries, but the provided script will be executed on local data and should be reviewed before running.
!
Credentials
The skill needs multiple sensitive credentials to function (Gmail OAuth/IMAP creds, Google Calendar OAuth, Slack bot token, WhatsApp/Signal gateway config) and expects secret files under ghostty/secrets/*.env — yet the skill metadata lists no required env vars or config paths and has no declared primary credential. This mismatch hides required secrets. Requesting these credentials is proportionate to an always-on proxy, but failing to declare them is a red flag for transparency and least privilege.
!
Persistence & Privilege
The skill instructs spawning persistent subagents running in 'session' mode that poll/monitor channels continuously and keep state in local files (pending-drafts.md, sent-log.md, calendar-state.md). While 'always' is false, autonomous invocation + persistent background sessions implies long-lived agent activity with broad data access. Combined with undisclosed credential needs, this increases the blast radius if misconfigured or malicious.
What to consider before installing
This skill will monitor multiple private channels and needs sensitive credentials (Gmail/IMAP, Google Calendar, Slack token, WhatsApp/Signal gateway) and local secret files, but the package metadata does not declare those requirements — that mismatch is a red flag. Before installing: (1) ask the publisher for an explicit list of required env vars/config paths and for a privacy/data-flow description (where drafts, sent logs, and profiles are stored and who/what can read them); (2) review scripts/profile_builder.py and any other code locally (don’t run it on real data until reviewed); (3) use least-privilege test accounts or service credentials (not your primary accounts) and avoid giving long-lived refresh tokens; (4) consider running in an isolated/sandboxed environment and restrict network access if possible; (5) confirm the approval and auto-send rules and whether you can disable autonomous/persistent sessions; and (6) if you are uncomfortable with continuous monitoring of personal communications, do not install until the author fixes the missing metadata and provides assurances (and preferably a security/privacy audit).

Like a lobster shell, security has layers — review code before you run it.

always-onvk97akqacz31ka60kt6kedt8dr184n0ncdigital-selfvk97akqacz31ka60kt6kedt8dr184n0ncemailvk97akqacz31ka60kt6kedt8dr184n0nclatestvk97akqacz31ka60kt6kedt8dr184n0ncmonitoringvk97akqacz31ka60kt6kedt8dr184n0ncproactivevk97akqacz31ka60kt6kedt8dr184n0ncvoice-clonevk97akqacz31ka60kt6kedt8dr184n0nc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments