ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Time

v0.3.0

LLM temporal reasoning scaffold for the temporal CLI.

2· 807·3 current·3 all-time
byJoaquin Quezada Hernandez@ikana
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill is explicitly a helper for the temporal CLI and only requires the 'temporal' binary. No unrelated credentials, config paths, or unrelated binaries are requested.
Instruction Scope
SKILL.md confines actions to running the temporal CLI, editing/reading a local time.md, and using a /tmp scratch directory. It instructs running scripts/install.sh (provided) if temporal is missing. One caveat: the document includes explicit curl examples that download GitHub release binaries without checksum verification — the README notes this and recommends the provided installer instead.
Install Mechanism
There is no platform package spec; the included scripts/install.sh downloads a release binary from the project's GitHub releases and verifies a bundled SHA-256 for v0.1.0. Using GitHub releases is normal, and the installer verifies checksums when a bundled digest is available. The SKILL.md's ad-hoc curl examples bypass checksum verification (acknowledged in the text), which raises a moderate risk if followed blindly. The installer will refuse to install arbitrary 'latest' releases unless the user supplies TEMPORAL_SHA256, which is a cautious design.
Credentials
No sensitive environment variables or credentials are required. The installer accepts optional overrides (TEMPORAL_VERSION, TEMPORAL_INSTALL_DIR, TEMPORAL_SHA256), which are reasonable for controlling installation behavior.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide configs. The installer places the binary in /usr/local/bin when writable or ~/.local/bin otherwise — standard installer behavior and scoped to the tool.
Assessment
This skill appears to be what it says: a helper for the 'temporal' CLI. Before installing: prefer running the included scripts/install.sh (it performs checksum verification for known bundled versions) instead of the curl examples in the README (those skip checksums). If you want the 'latest' release, obtain and supply TEMPORAL_SHA256 to avoid blind installs. Inspect the GitHub repo (Ikana/temporal) to establish trust, pin a version when possible, and consider installing to ~/.local/bin (or running in a sandbox/container) if you prefer not to place a new binary in /usr/local/bin.

Like a lobster shell, security has layers — review code before you run it.

latestvk973wy80ztpqh1qgt2my92k6an81ega6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binstemporal

Comments