ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Skill Gee

v1.0.5

Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...

0· 50·0 current·0 all-time
by@huihuilu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill is described as a logging/self-improvement helper that uses lightweight bash scripts to create and append markdown files and optionally install hooks. However the registry metadata and install spec require a binary named 'gog' (brew formula steipete/tap/gogcli). The SKILL.md, scripts, and all code files do not reference 'gog' anywhere, so requiring/installing that binary is not justified by the stated purpose.
Instruction Scope
SKILL.md and the included scripts limit behavior to creating .learnings files, printing short reminders, detecting error text in CLAUDE_TOOL_OUTPUT, and scaffolding skill files. These are within the stated purpose. However the skill encourages installing hooks that run scripts with the agent's permissions and reading CLAUDE_TOOL_OUTPUT (potentially sensitive). The docs mention not logging secrets and explicitly warn about CLAUDE_TOOL_OUTPUT sensitivity, which is good, but enabling PostToolUse hooks can expose command outputs if misconfigured.
!
Install Mechanism
The install spec pulls a third-party brew formula (steipete/tap/gogcli) that installs a 'gog' binary. The skill doesn't use or reference that binary in its scripts or docs. Installing an unrelated third-party package increases risk and is disproportionate. The brew source is not a well-known system package in the SKILL.md context; justify or remove this dependency.
Credentials
The skill does not request credentials or config paths, which is appropriate. It does, however, rely on the host environment providing CLAUDE_TOOL_OUTPUT to the error-detector hook; that env var is not declared in requires.env but is a standard hook context variable. Because CLAUDE_TOOL_OUTPUT can contain sensitive command output, enabling the PostToolUse hook could surface secrets unless the user carefully sanitizes or opts in.
Persistence & Privilege
The skill is not always-enabled, does not request elevated platform privileges, and only modifies local workspace files/hook configurations when you follow the documented opt-in steps (copying hooks, enabling them). extract-skill.sh writes a skill scaffold in a relative ./skills dir and defends against absolute/.. paths; that behavior is documented and requires user action.
What to consider before installing
This skill's behavior (creating .learnings, printing short reminders, detecting error text, scaffolding skills) is coherent and documented — but the brew dependency on 'steipete/tap/gogcli' (binary 'gog') is unexplained and unnecessary given the scripts and docs. Before installing: - Do not blindly run the brew install; inspect the tap/formula (https://github.com/steipete/tap or the formula source) to see what the package does. If you don't need 'gog', skip that install. - Enable hooks only intentionally. The PostToolUse hook runs error-detector.sh which reads CLAUDE_TOOL_OUTPUT (command output). Only enable it in trusted environments and ensure your workflows don't leak secrets into tool output. - Run scripts in dry-run/safe mode first: use extract-skill.sh --dry-run to see what it would create, and manually inspect activator.sh and error-detector.sh (they are short and readable). - If you want the logging behavior but not the brew binary, install the skill files manually (copy scripts and SKILL.md) and skip the brew step. If you want me to: (1) fetch and summarize the steipete/tap/gogcli formula for you, or (2) highlight exact lines in the scripts that could expose sensitive data, say which option you prefer.

Like a lobster shell, security has layers — review code before you run it.

AA BB CCvk977j5kjjra7w3vgkhwmpypzpd8433azlatestvk977j5kjjra7w3vgkhwmpypzpd8433az

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎮 Clawdis
Binsgog

Install

Install gog (brew)
Bins: gog
brew install steipete/tap/gogcli

Comments