ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Skill Gitee

v1.1.1

Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...

0· 75·0 current·0 all-time
by@huihuilu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md and scripts implement a local self-improvement logging workflow (creating .learnings/, small hook scripts, and a skill-extraction helper). However the package metadata and frontmatter declare a required binary 'gog' and an install step (brew steipete/tap/gogcli) even though none of the included scripts or docs reference or invoke 'gog'. This requirement appears disproportionate to the stated purpose and is unexplained. Additionally there are inconsistent identifiers (skill slug/name and _meta.json owner/slug differ), which suggests sloppy packaging or poor provenance.
Instruction Scope
Runtime instructions are generally scoped to creating/maintaining .learnings/ files and optionally installing hooks into ~/.openclaw/hooks. Scripts are small and self-contained (activator prints reminders; error-detector reads CLAUDE_TOOL_OUTPUT and emits a reminder; extract-skill scaffolds a new skill). These behaviors align with the stated purpose. Note: scripts read CLAUDE_TOOL_OUTPUT (a runtime env var) but the skill's requires.env list is empty — the use of that env var is reasonable for an agent platform but should be explicit. The SKILL.md correctly warns not to log secrets. The only potential scope creep is the guidance to copy hooks into user-level directories (modifying user environment), which is opt-in but worth being careful about.
!
Install Mechanism
The install spec triggers a brew install from a third‑party tap steipete/tap/gogcli to provide a 'gog' binary. The included files do not call or depend on 'gog', so this install step is unnecessary and disproportionate. Installing from an external tap is higher-risk than using core/homebrew formulas because the tap is outside the main review pipeline. Other install instructions (git clone of a public repo) are standard and expected.
!
Credentials
The skill declares no required environment variables, but scripts read CLAUDE_TOOL_OUTPUT (platform-provided) and SKILL.md instructs placing files under ~/.openclaw and enabling hooks. That's mostly reasonable, but the explicit request to install an unrelated external binary (gog) without justification is a red flag. No secrets or external API credentials are requested, which is appropriate for the skill's purpose.
Persistence & Privilege
always:false and normal autonomous invocation are used (default). Hooks and workspace file injections are opt-in — the SKILL.md shows manual copy/enable steps for hooks, and the scripts write only to skill-local or workspace-relative paths. The extract helper prevents absolute or '..' output paths, limiting accidental writes outside the workspace. No skill-level 'always:true' or modifications to other skills' configs were requested.
What to consider before installing
This skill appears to actually do what it says (log learnings/errors and provide lightweight hook scripts), but there are a few unexplained items you should check before installing: - Ask the publisher why the brew install for 'steipete/tap/gogcli' (gog) is required — none of the included scripts reference 'gog'. Avoid installing that tap until you can verify its necessity and trustworthiness. - Confirm provenance: metadata/frontmatter contain mismatched names/slugs/owner IDs (skill-gitee vs skill-b vs skill-a in _meta.json). Prefer skills with consistent metadata or from a known author. - Review the brew formula and any external install artifacts before running them. Installing from a third‑party Homebrew tap has higher risk than using core/homebrew or a known release host. - If you enable hooks, do so intentionally and scope them to specific projects (avoid enabling global user-level hooks unless you trust the code). Hooks will run with your user permissions. - Audit the scripts (activator.sh, error-detector.sh, extract-skill.sh) yourself — they are short and readable; ensure you are comfortable with their behavior (they avoid network calls and avoid writing outside the workspace when used as intended). - If you need to proceed, consider a dry-run of extract-skill (--dry-run) and avoid the unexplained brew step until clarified. If the publisher can explain and justify the 'gog' dependency and clean up the metadata mismatches, this would materially reduce the concerns.

Like a lobster shell, security has layers — review code before you run it.

latestvk9764aeck7ep8z36demeh15ffn842dwm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎮 Clawdis
Binsgog

Install

Install gog (brew)
Bins: gog
brew install steipete/tap/gogcli

Comments