ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Weekend Scout

v1.0.2

Weekend Scout discovers next-weekend outdoor events, festivals, fairs, and road-trip ideas near the user's city and nearby cities. It builds home-city picks...

0· 75·0 current·0 all-time
byDmitry Nikolaenya@gooorooox

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for gooorooox/weekend-scout.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Weekend Scout" (gooorooox/weekend-scout) from ClawHub.
Skill page: https://clawhub.ai/gooorooox/weekend-scout
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install weekend-scout

ClawHub CLI

Package manager switcher

npx clawhub@latest install weekend-scout
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (scout local events, prepare a digest, send to Telegram) aligns with the included files and runtime contract: a Python CLI package, caching, discovery (WebSearch/WebFetch), formatting, and a Telegram transport are all present and expected.
!
Instruction Scope
The SKILL.md explicitly tells the agent not to inspect the package source or call --help during a normal run and to treat bundled references/CLI as authoritative. That restriction reduces in-run transparency and auditing of the installed code. The bootstrap flow will run a bundled installer script (install/install_skill.py) if the installed package version differs, so the runtime instructions cause execution of code from the bundle; you should review that code before permitting installation.
Install Mechanism
There is no registry 'install' spec, but the SKILL.md bootstraps by running the included install/install_skill.py via the local Python interpreter. The installer is bundled (no external URL in the manifest), which avoids arbitrary remote downloads, but executing an included installer still executes code on the host. Inspect install/install_skill.py to confirm it only installs the bundled package locally and does not fetch or run unexpected remote artifacts or perform unrelated system changes.
Credentials
The registry declares no required environment variables or credentials. Telegram credentials are expected to be configured via the package's CLI (python -m weekend_scout config), not via environment variables. That is proportionate to the described functionality, but you should verify where and how those credentials are stored (config file or cache) before use.
Persistence & Privilege
The skill is not marked always:true and is user-invocable. It uses a local cache_dir for persistent SQLite and files; it does not request system-level or other skills' configuration access. Normal persistence behavior (cache, SQLite) is consistent with the stated purpose.
What to consider before installing
Before installing or running this skill: 1) Inspect install/install_skill.py to see what it does (does it call pip to install locally, fetch remote code, or run arbitrary shell commands?). 2) Inspect weekend_scout/telegram.py and config.py to confirm Telegram bot token/chat_id storage location and that tokens are not transmitted anywhere except Telegram's API. 3) Review any network calls in the code (WebFetch/WebSearch callers) to ensure they go to expected endpoints and that no hard-coded unusual remote endpoints exist. 4) If you lack confidence, run the installer and the skill in a sandboxed environment or VM and/or audit the code paths that run during bootstrap and send. 5) Be cautious that the SKILL.md explicitly forbids inspecting package source during a normal run — that is a design choice that prevents on-the-fly auditing; treat it as a reason to perform an explicit manual review before granting execution.

Like a lobster shell, security has layers — review code before you run it.

latestvk973dc1kj1ar6qcqe570hnw96985aprp
75downloads
0stars
3versions
Updated 5d ago
v1.0.2
MIT-0
Dmitry Nikolaenya@gooorooox
latest
Download

Weekend Scout

Use this repo-root skill as the stable bundle entrypoint. Weekend Scout scouts next-weekend outdoor events near the configured city, ranks local picks and road trips, and relies on run-scoped session caching plus a persistent SQLite cache managed through the CLI.

Do not treat this root file as the full scouting workflow. Its job is limited to bootstrapping the Python runtime from this bundle and dispatching to the matching bundled runtime SKILL.md.

Bootstrap

  1. Resolve bundle_root. Prefer {baseDir} when the host provides it. Otherwise resolve the directory containing this SKILL.md.
  2. Resolve a Python command by trying python, then python3. If neither exists, stop and report that Python 3.10+ is required.
  3. Read the bundle package version from pyproject.toml.
  4. Check the installed weekend-scout package version with the chosen interpreter via importlib.metadata.
  5. If the package is missing or the version differs from the bundle version, run: "<python_cmd>" "{bundle_root}/install/install_skill.py" --with-pip --runtime-only
  6. If bootstrap fails because of an externally managed environment, stop and show the exact retry command with --break-system-packages. Do not auto-retry with that flag.
  7. If bootstrap succeeds, or the installed version already matches the bundle, continue in the same invocation.

Dispatch

  1. Identify the host only when it is explicit from the active environment, active skill path, or tool/runtime surface. Treat the active workspace-installed bundle case as OpenClaw only when the current session clearly is OpenClaw. Otherwise use Claude Code or Codex only when that host is equally explicit.
  2. Use exactly one bundled runtime file:
PlatformCanonical runtime skill
OpenClaw.openclaw/skills/weekend-scout/SKILL.md
Codex.agents/skills/weekend-scout/SKILL.md
Claude Code.claude/skills/weekend-scout/SKILL.md
  1. Before dispatching, confirm that the chosen nested SKILL.md exists.
  2. Follow the chosen nested runtime skill and its adjacent references/ directory exactly as shipped.
  3. If the host is not clear, stop and list the available bundled runtime paths instead of guessing.

Guardrails

  • Keep this root skill as the permanent bundle entrypoint. Do not self-replace it, overwrite the installed workspace bundle, or promote a shared/global skill copy as the primary path.
  • Keep later invocations cheap: if the installed package version already matches the bundle version, skip installation and dispatch immediately.
  • Use only python -m weekend_scout ... CLI commands for config, discovery, cache, digest preparation, formatting, and delivery.
  • Do not manually edit cache files, transport payloads, YAML config, or SQLite data as a substitute for the CLI workflow.
  • Treat the chosen nested runtime SKILL.md plus its bundled references as the sole authority for scout workflow, command order, payload shape, and failure handling.

Failure Handling

  • If the bootstrap command fails, surface the exact command you ran plus the installer's own guidance. Do not invent an alternative recovery flow.
  • If the chosen nested runtime file is missing, report the exact missing path and stop.
  • Do not send the user to README-style manual setup as the primary path.

Comments

Loading comments...