ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Crypto Win Humility Check

v1.0.0

A reflection skill that helps users process a win without overconfidence or lifestyle inflation. Use after a successful trade or investment gain. Prompt-only.

0· 28·0 current·0 all-time
byhaidong@harrylabsj
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Crypto
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill is described as prompt-only reflection work; it should not need to read local files. Yet handler.py attempts to open /Users/jianghaidong/.openclaw/skills/{skill_name}/SKILL.md — a user-specific filesystem path unrelated to the described capability. This is disproportionate and unexpected.
!
Instruction Scope
SKILL.md contains only prompt/instructional content and does not instruct reading any local files or accessing user-specific paths. The runtime code contradicts the SKILL.md by reading a local SKILL.md file, which is scope creep.
Install Mechanism
No install specification is present (instruction-only). Nothing would be downloaded or written to disk by an installer, which is appropriate for a prompt-only skill.
!
Credentials
The skill declares no environment variables or credentials, but the code accesses a hard-coded local config path under a specific user's home directory. That gives the skill potential access to local files/configuration not justified by its stated purpose.
Persistence & Privilege
The skill is not always-enabled, does not request elevated persistence, and the handler does not modify other skills or global configuration.
What to consider before installing
This skill's functionality (a short reflective prompt) is simple and benign in description, but the included handler.py reads a hard-coded path under /Users/jianghaidong/.openclaw/skills/... which is unexpected and could expose local files. Treat this as suspicious: ask the author why the code reads that path (it looks like a developer leftover), request removal of hard-coded home paths or replacement with safe relative paths, and inspect or run the code in a sandbox before installing. If you cannot verify the author, avoid installing in an environment with sensitive files or credentials. If you want to proceed, ask for a version with the file-read removed or clearly documented and justified.

Like a lobster shell, security has layers — review code before you run it.

latestvk9764n69n8mtntd1e738zh99pn84yxm2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments