Henteplan Skill
Security checks across malware telemetry and agentic risk
Overview
This skill appears purpose-aligned for checking waste pickup dates, with the main things to notice being address lookup through henteplan.no and optional saved reminders.
This skill looks benign for its stated purpose. Before using it, be comfortable sending your address or locationId to henteplan.no, decide whether you want the agent to remember those details, and only set up the optional daily reminder if you want recurring automated checks.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may make network requests to henteplan.no when helping look up a schedule.
The skill relies on shell command examples using curl and jq to query the schedule API. This is expected for an instruction-only lookup skill and is scoped to the documented API.
curl -s --max-time 10 "https://henteplan.no/api/v1/search?q=Kongens+gate+1" | jq .
Use the skill when you intend to query that service, and avoid providing more address detail than needed.
The skill may not work unless curl and jq are available, despite the registry requirements saying no binaries are needed.
SKILL.md declares required binaries, while the supplied registry metadata says no required binaries. This is an install/dependency metadata mismatch rather than hidden code.
required_bins: - curl - jq
Ensure curl and jq are installed if you plan to use the documented commands.
Your postal code, city, street address, provider, or locationId may be sent to henteplan.no to find your waste pickup schedule.
The workflow sends address-related information to the external henteplan.no API. This is necessary for the lookup, but it involves location data.
Ask for their street address, search within the detected provider.
Only provide address information you are comfortable sending to the service.
Future interactions may reuse your saved waste-provider location details without asking you to re-enter your address.
The skill asks the agent to retain provider and locationId for future use. This is useful and purpose-aligned, but it persists a location-linked identifier.
Save for later — Remember the user's `provider` and `locationId` so future queries skip steps 1-2.
If you do not want location details retained, ask the agent not to remember them or to delete them later.
If you set it up, OpenClaw may check your schedule daily and send reminders using the saved provider and locationId.
The skill documents an optional recurring reminder job. It is user-directed and scoped to tomorrow's pickup check, but it creates ongoing autonomous activity.
openclaw cron add \ --name "waste-reminder" \ --schedule "0 20 * * *"
Create the cron or HEARTBEAT reminder only if you want recurring checks, and know how to disable it.