Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Focus Master
v1.0.1Manage tasks with configurable Pomodoro timers, track time spent, analyze time allocation, block distractions, and generate efficiency reports.
⭐ 0· 281·2 current·2 all-time
byhaidong@harrylabsj
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description indicate a local CLI for Pomodoro and task tracking, which matches the SKILL.md usage examples and data storage location. However package.json declares a binary named "time-management" and the SKILL.md asks you to symlink that file, but no executable or code file named "time-management" is present in the skill bundle. That mismatch suggests the package is incomplete or expects you to obtain a binary from an unspecified place.
Instruction Scope
The runtime instructions are narrowly scoped to installing a symlink, running the CLI, reading/writing local config and an SQLite DB under ~/.openclaw/data/time-management/, and changing settings — all consistent with a local productivity tool. The instructions do not request other system files or external endpoints. The 'focus mode / block distractions' feature is vague and not documented in the SKILL.md; how it blocks distractions (hosts file, notifications, window management, firewall, browser extensions, etc.) is unspecified and should be clarified before trusting it.
Install Mechanism
There is no formal install spec (instruction-only), which is low risk in itself, but the SKILL.md instructs creating a symlink from ~/.openclaw/workspace/skills/focus-master/time-management to ~/.local/bin/time-management. Because the executable file is not included in the bundle, following this instruction would either create a broken symlink or rely on you to place an executable in that path from an unspecified source. package.json points to a GitHub repo, but no automated or documented safe fetch/install step is provided — this is an integrity/ provenance gap.
Credentials
The skill declares no required environment variables, no credentials, and stores data locally under ~/.openclaw/data/time-management/. Requesting only local config/db access is proportionate for the stated purpose.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and its only persistent artifact is a local data directory and the optional symlink in ~/.local/bin. Those are normal for a user-installed CLI; still, creating a binary in PATH via symlink is something you should verify the source of before doing.
What to consider before installing
This bundle looks like a CLI Pomodoro/task tracker, but the package is missing the actual 'time-management' executable it tells you to symlink. Do not run the ln -s command or place any binary in your PATH until you verify the executable's source and contents. Recommended steps before installing:
- Inspect the skill directory in ~/.openclaw/workspace/skills/focus-master/ to confirm whether a 'time-management' file exists and is the code you expect.
- If the file is missing, obtain the source from the referenced GitHub repo (package.json.repository) and review the code before installing. Prefer cloning the repository yourself and inspecting scripts.
- If a prebuilt binary is provided, verify its checksum/signature and review what operations it performs (especially anything that modifies system files like /etc/hosts, firewalls, or browser settings) in a sandbox or VM.
- Ask the skill author for the missing executable or source code; do not symlink an unknown file into ~/.local/bin.
- Because 'focus mode' could change system behavior, confirm exactly how it blocks distractions before granting it broad file or system access.
I assessed this as 'suspicious' (not necessarily malicious) because of the incomplete packaging and unclear provenance of the executable; additional information (the missing script or a trustworthy repo snapshot) would likely change the verdict to benign.Like a lobster shell, security has layers — review code before you run it.
latestvk973mgp9hwfzkst8sdq9kvad1182q4gy
License
MIT-0
Free to use, modify, and redistribute. No attribution required.