ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Inr Sender

v1.0.0

Envoie le résultat de l'INR (International Normalized Ratio) à un centre de télémédecine spécialisé ou pour un test. Utilise ce skill lorsque Gilles souhaite...

0· 91·1 current·1 all-time
by@gillescv

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for gillescv/inr-sender.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Inr Sender" (gillescv/inr-sender) from ClawHub.
Skill page: https://clawhub.ai/gillescv/inr-sender
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install inr-sender

ClawHub CLI

Package manager switcher

npx clawhub@latest install inr-sender
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's purpose (emailing an INR value) is simple and coherent with the included script, but the metadata claims no required binaries or credentials while the script calls /root/go/bin/gog and specifies a fixed --account value (harpoutian@gmail.com). The missing declaration of that binary/credential is an inconsistency.
!
Instruction Scope
SKILL.md and the script only perform email sending, which is in-scope. However the script hard-codes recipient addresses (creatif.lrb@aphp.fr and harpoutian@gmail.com) and includes highly sensitive personal data (full name and date of birth). It also assumes a particular locale and environment (LC_TIME fr_FR.UTF-8) and a specific binary path, which broadens its implicit scope and risk.
!
Install Mechanism
There is no install spec (instruction-only), but the script depends on an external tool at /root/go/bin/gog. Expecting an unlisted binary at a root-owned path is risky and likely to cause failures or require elevated setup. The skill should declare/install (or at least require) the gog tool instead of assuming its presence.
!
Credentials
The package declares no required environment variables or credentials, yet the script uses a specific Gmail account (--account harpoutian@gmail.com) and therefore implicitly requires authentication/credentials for that account in the 'gog' tool. This mismatch is disproportionate and unexplained. Also, transmitting health data is sensitive and needs explicit consent/accountability.
Persistence & Privilege
The skill is user-invocable and not flagged always:true; it does not claim persistent/system-wide privileges or modify other skills. However, the script's use of a root-path binary suggests it assumes a particular installation location and privileges.
What to consider before installing
Before installing or using this skill, consider these points: - The script calls /root/go/bin/gog — the skill did not declare that binary. Confirm whether 'gog' is installed, where it is installed, and how it's authenticated; otherwise the skill will fail or require privileged setup. - The script hard-codes sender account (harpoutian@gmail.com) and recipient addresses (creatif.lrb@aphp.fr and a Gmail test address). Verify you consent to sending sensitive health data (INR + name + date of birth) to those addresses and that the addresses are correct and authorized. - The skill does not declare or request credentials, but it implicitly needs authentication for the Gmail account. Ask the publisher how credentials are supplied and stored by 'gog' — do not provide credentials without understanding storage and access controls. - Prefer a version that allows configurable sender/recipient and omits or anonymizes DOB, or that documents installation steps (how to install/authenticate 'gog') and where credentials are kept. - If you cannot verify the 'gog' tool and the account setup, test in an isolated environment and avoid using real personal health data or real accounts until you confirm behavior. If you need help verifying the gog binary, or rewriting the script to avoid hard-coded sensitive data, provide the environment details and I can suggest safer alternatives.

Like a lobster shell, security has layers — review code before you run it.

latestvk970x1kv8a5gpe2tm02fkpqqz583mmqw
91downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
@gillescv
latest
Download

INR Sender Skill

Ce skill permet d'envoyer votre valeur INR à une adresse e-mail prédéfinie ou à une adresse de test.

Utilisation

Pour envoyer votre INR : inr-sender <valeur_inr> [--test]

  • <valeur_inr> : La valeur numérique de votre INR (ex: 2.5).
  • --test (optionnel) : Si présent, l'e-mail sera envoyé à harpoutian@gmail.com pour un test. Sinon, il sera envoyé à creatif.lrb@aphp.fr.

Message envoyé

Le message aura le format suivant : "Bonjour, aujourd'hui (date du jour) mon INR était de [valeur_inr] (automesure). Merci et bonne journée, Gilles Harpoutian né le 16/07/1974"

Script (scripts/send_inr.sh)

Le skill utilise le script scripts/send_inr.sh pour formater et envoyer l'e-mail.

Comments

Loading comments...