ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Digital Life Organizer

v1.0.0

Digital Life Organizer / 数字生活整理师. 帮助用户盘点数字资产、整理文件、管理订阅服务、审计密码安全。

0· 73·0 current·0 all-time
byhaidong@harrylabsj
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The README/SKILL.md promises 'scan local device, cloud storage, and audit passwords' and a full asset/subscription/security audit. However, the packaged code (index.js) implements mock data generators (e.g., generateMockProfile) and no logic to access the filesystem, cloud APIs, or password stores. The skill also declares no required credentials or config paths. That makes the claimed capability (real scanning/auditing) inconsistent with what is actually implemented.
!
Instruction Scope
The SKILL.md defines actions like scan_assets, organize_files, manage_subscriptions and audit_security and describes engines that 'scan' and 'aggregate'. But the runtime instructions and provided code do not show any safe, explicit steps to read local files, request cloud API keys, or integrate with password managers. The schemas are detailed, but the operational instructions are vague about how real data would be obtained — implying either a simulated skill or missing integration instructions.
Install Mechanism
No install spec is provided and there are only small JS files and a test stub. There are no external downloads, package installs, or unusual install behavior. This lowers risk from installation mechanisms.
!
Credentials
The skill requests no environment variables, credentials, or config paths, yet its purpose (cloud scans, subscription checks, password audits) would normally require API keys, OAuth tokens, or filesystem access. The absence of required credentials is disproportionate to the stated functionality and suggests the skill either cannot perform real scans or would prompt for secrets at runtime (not declared).
Persistence & Privilege
The skill is not always-enabled and uses default autonomous invocation settings. There is no install step that writes persistent agents or system-wide configs in the package. No elevated persistence or cross-skill config modification is visible.
What to consider before installing
This package appears to be a prototype or simulator: it documents full-device/cloud scans and password audits but the code returns mock/sample reports and there are no declared connectors, credentials, or filesystem/network calls. Before installing or trusting results, ask the author how the skill obtains real data and where credentials would be supplied; do not hand over passwords, API keys, or OAuth tokens unless you verify a secure, documented integration. If you expect real scanning of local files or cloud accounts, prefer skills that explicitly list required credentials, show the exact integration code (or trusted third-party connectors), and have a verifiable repository/history. If you want to test safely, run the included test stub in an isolated environment and inspect the handler implementation to confirm whether any runtime prompts or network calls occur.

Like a lobster shell, security has layers — review code before you run it.

latestvk97eywjt1zp3eg8ahqa9fd4nkd84b4fc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments