Looking for Someone
Security checks across malware telemetry and agentic risk
Overview
This appears to be a purpose-aligned local missing-person case organizer, but it stores highly sensitive case details in unencrypted local JSON and has minor packaging/documentation gaps.
This skill looks coherent and local-only, but it may contain very private information about missing people and families. Use it on a trusted device, avoid storing unnecessary ID numbers or financial details, carefully review generated notices before sharing them publicly, and confirm how to delete local case data when it is no longer needed.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone with access to the user’s local files or backups could potentially read sensitive case details if the device or account is not protected.
The skill intentionally stores sensitive missing-person case data locally, including possible ID numbers and family contact information, and discloses that it is not encrypted.
Optional Fields: `phone`, `birthDate`, `idNumber`, ... `familyContacts`; Data Storage: Cases are saved locally in `~/.openclaw/skills-data/looking-for-someone/`; Limitations: No field-level encryption
Only enter sensitive identifiers when truly necessary, avoid putting ID numbers or private addresses into public notices, protect the local device account, and delete or archive case files when no longer needed.
Users may not be able to run the documented tests as written, making it harder to verify the package locally.
The documented test command references test.js, but the provided file manifest does not include that file. This is a completeness/documentation gap, not evidence of hidden behavior.
Run the basic test suite: ```bash node test.js ```
Before relying on the skill, verify the available files and treat the missing test reference as a packaging issue to resolve with the publisher.
Users could assume there is an obvious built-in deletion workflow even though the primary instructions do not show one.
The privacy document describes deletion rights, but the main SKILL.md command list only documents create, list, progress, clue, notice, guide, and reminders commands, so deletion mechanics are not clearly documented in the primary workflow.
Deletion: User-initiated deletion available at any time
Confirm how to delete stored case data before entering highly sensitive information; if no command is available, delete the local data files from the documented storage directory when appropriate.