ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Time Converter

v1.0.0

Convert time between specified IANA timezones with optional date input, supporting multiple time formats and displaying timezone offsets.

0· 111·0 current·0 all-time
byhaidong@harrylabsj
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The stated purpose (converting timezones) matches the described behavior and uses Python's zoneinfo. However, the SKILL.md references a local executable (~/.openclaw/skills/time-converter/convert_time) and mentions Python but the package contains only README.md and SKILL.md — no script or explicit requirement for a python binary is declared.
!
Instruction Scope
Runtime instructions are narrowly scoped (make a script executable and run convert_time), and do not ask for unrelated files or credentials. The concern is that the instructions direct the user to chmod and run an executable that is not included in the bundle; running unknown executables is risky. The SKILL.md also claims Python zoneinfo usage but doesn't instruct how to invoke Python or include the script content.
Install Mechanism
No install spec or downloads are present (lower risk). The only install step is a chmod of a path inside ~/.openclaw/skills/... which assumes a file will exist there — since no file is included, this is likely an incomplete package rather than an active supply-chain install. No external URLs or archives are used.
Credentials
The skill requests no environment variables, credentials, or config paths. This is proportionate to a simple timezone conversion tool.
Persistence & Privilege
The skill is not always-enabled and is user-invocable; it does not request elevated persistence or modify other skills' configuration. No privilege concerns detected.
What to consider before installing
Do not run chmod +x or execute a convert_time binary unless you can inspect it first. The package you received contains only README.md and SKILL.md — the executable/script is missing. Ask the publisher for the convert_time script or the source code, and review its contents (look for shebang, any network calls, or subprocess/system commands) before making it executable. Confirm the script's Python requirements (Python 3.9+ for zoneinfo) and run it in a sandboxed environment if you must test it. If the publisher cannot provide source or a trustworthy homepage, treat the skill as incomplete and avoid installing or executing anything from it.

Like a lobster shell, security has layers — review code before you run it.

latestvk974bvjxeqp5nwq639ntdvfam9838cv7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments