Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Crayfish Diary
v0.1.1A WorkBuddy skill for quick diary and memo recording with automatic year/month/day directory organization. Supports Chinese and English triggers - start with...
⭐ 0· 253·0 current·0 all-time
by@italks
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the provided code and instructions. The Python script creates year/month/day directories, sanitizes filenames, writes markdown files, and updates a daily README — all consistent with a diary/memo skill. The included publish script and repo metadata are typical for a developer release artifact (minor version string mismatch: registry lists 0.1.1 while clawhub.json states 1.0.0).
Instruction Scope
SKILL.md explicitly instructs the agent to collect the user's subsequent conversation until an 'end recording' trigger and to create directories and files in a specified workspace. This is expected for a recording diary skill, but it does mean conversational content will be written to disk in the workspace; users should be aware of where the base_path/space resolves and who can access that storage.
Install Mechanism
No install spec is present (instruction-only skill). The code files are plain Python and a shell script; nothing is being downloaded or auto-installed. This is the lower-risk model for skills that write files locally.
Credentials
The skill requests no environment variables, no credentials, and no special config paths. All file I/O is local under a base_path provided to the script or the agent's workspace. No unrelated services or secrets are requested.
Persistence & Privilege
always is false and the skill does not request persistent system privileges. It does include a publish.sh that, if run manually, could push the repository to GitHub (requiring the user's git credentials), but the SKILL.md does not instruct automatic use of that script or any privileged modifications to other skills or global settings.
Assessment
This skill appears internally consistent, but consider these practical points before installing:
- Storage location: diary files are written to the workspace path (default '龙虾日记' under the provided base_path). Confirm that the workspace or filesystem location is private and backed up as you expect.
- Sensitive data: anything you say while recording will be written to disk in plain text Markdown. Don’t record secrets you wouldn’t want stored in that location.
- publish.sh: a shipping helper script can push to the developer's GitHub repo if run manually; don’t run it unless you intend to publish the skill and understand which git credentials and remote will be used.
- File permissions: ensure file permissions on the workspace are appropriate so other users/processes cannot read your diaries.
- Minor metadata mismatch: registry version differs from clawhub.json version — this is likely a packaging oversight, not malicious, but you may want to confirm the source repository if you plan to trust the package.
If you want stronger assurances, ask for the authoritative source repository or run the Python script in a controlled test folder first to confirm its behavior.Like a lobster shell, security has layers — review code before you run it.
latestvk97expeevn89e3dy3wxx1exsjn82qegd
License
MIT-0
Free to use, modify, and redistribute. No attribution required.