Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Friends
v1.0.0Build a personal friendship system with interaction tracking, relationship health, and proactive maintenance reminders.
⭐ 2· 665·0 current·0 all-time
byIván@ivangdavila
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The described purpose (personal friendship tracking) matches the instructions (one Markdown file per friend, logging interactions, proactive reminders). However the skill explicitly instructs creating ~/friends/ and reading/writing friend files while the metadata declares no required config paths or permissions for persistent storage; this is a mismatch (the filesystem access is plausible for the stated purpose but should be declared).
Instruction Scope
SKILL.md tells the agent to create a workspace in the user's home (~ /friends/), create and update per-person Markdown files, and surface private life-event data. It also lists 'Integration Points' (calendar, contacts, birthdays) without specifying how to access those services. The instructions therefore imply read/write access to the user filesystem and possible access to calendar/contacts data, but give no constraints on what the agent should do with that data (e.g., whether it may transmit it).
Install Mechanism
Instruction-only skill with no install spec or code files; nothing is downloaded or written by an installer. This is low-risk from an installation/execution perspective.
Credentials
The registry declares no environment variables, credentials, or config paths. Yet the skill implies access to user calendar and contacts and persistent storage of sensitive personal data. Integrations that require tokens/permissions are mentioned but not declared. The absence of declared permissions/credentials for those integrations is disproportionate to the behavior the instructions imply.
Persistence & Privilege
The skill asks to create and maintain a persistent folder in the user's home for storing personal data. It does not request 'always:true' or other platform-level persistent privileges, but it does expect to write persistent files. Users should be aware this will create local, long-lived records of friends' sensitive life events.
What to consider before installing
This skill is mostly coherent with its stated purpose (a personal friend-tracking workspace) but it instructs the agent to create and maintain files in your home directory and references calendar/contacts integrations without declaring permissions. Before installing, confirm: (1) how the agent will be allowed to read/write ~/friends/ (will it ask you first?), (2) whether your platform will prompt for calendar/contacts access and what scopes are used, (3) where backups or syncs will go (could this data be uploaded anywhere?), and (4) whether data will be encrypted at rest. If you are uncomfortable with an agent creating long-lived files containing sensitive life events, do not enable the skill until the author clarifies storage location, permission prompts, and any external integrations. If you proceed, limit exposure by using a dedicated folder, avoid syncing it to cloud services unless encrypted, and review the agent's actions the first few times it writes files.Like a lobster shell, security has layers — review code before you run it.
latestvk9739v6dksjczd0afdd3radn3n811m57
License
MIT-0
Free to use, modify, and redistribute. No attribution required.