ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Wine Cellar

v1.0.0

Comprehensive wine cellar management skill for tracking inventory, providing meal-based recommendations, acting as a virtual sommelier, tracking consumption/...

0· 161·0 current·0 all-time
by@fuzzysb
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code present (barcode lookup, recommendation engine, utils) supports core features described (inventory, barcode lookup, meal pairing). However SKILL.md advertises additional scripts and artifacts (add_wine.py, log_consumption.py, generate_report.py, data/consumption_log.json, data/purchase_history.json, many reference docs) that are not present in the file manifest. Some functionality is implemented under different names (e.g., add_wine_from_barcode in lookup_barcode.py) but the mismatch between advertised and included files is notable.
Instruction Scope
Runtime instructions and scripts operate only on JSON files in the skill's data directory and local reference data. The SKILL.md does not instruct reading unrelated system files or contacting remote endpoints. The scripts likewise do local file I/O and in-code lookups; lookup_barcode references external APIs only as TODOs and does not perform network calls.
Install Mechanism
No install specification is present (instruction-only skill with included scripts). Nothing is downloaded or installed at runtime according to the manifest—this reduces install-time risk.
Credentials
The skill requests no environment variables, no credentials, and no config paths. The code does not attempt to access external credentials. This is proportional for a local inventory/recommendation tool.
Persistence & Privilege
The skill is not forced-always, and it does not modify other skills or system-wide settings. It persists data only under its own data/ directory which is consistent with its stated storage behavior.
What to consider before installing
This skill is not obviously malicious, but there are inconsistencies and missing pieces you should consider before installing: - The documentation claims several helper scripts and data files (e.g., add_wine.py, log_consumption.py, generate_report.py, consumption_log.json, purchase_history.json) that are not present. That may mean the skill is incomplete or the docs are out of date. Verify the exact behavior you need (e.g., logging consumption) by testing the included scripts first. - The included scripts operate only on JSON files inside the skill directory (data/). They will create or overwrite files there via save_json. Back up any important data and run the skill in an isolated environment if possible. - There are no network calls in the shipped code, but lookup_barcode.py contains TODO comments to call external wine APIs in future. If the skill is updated to call external services it may require API keys; treat such updates as security-relevant and review any new network code and required environment variables before enabling. - Recommended immediate steps: review and run the included scripts in a sandbox, confirm they only touch the skill's data/ folder, and verify that recommended features you expect are implemented. If you need the missing advertised scripts, ask the publisher for a complete release or inspect updates closely. If you will allow autonomous invocation in an agent, be aware the skill can read/write the local skill data files—ensure that is acceptable for your environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b2p2qgf7q21grv5c3ztapr582y677

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments