ClawHub

Period Tracker

v1.0.1

Privacy-first menstrual cycle tracking. Auto-learns periods, symptoms, and patterns.

2· 921·1 current·1 all-time
byIván@ivangdavila
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (local, privacy-first period tracking) match the observable footprint: no network endpoints, no credentials, and an explicit local file (~/period/memory.md) used for storing preferences and logs. The symptom list and privacy guidance are consistent with a tracker.
!
Instruction Scope
SKILL.md instructs the agent to persist preferences in a plaintext markdown file at ~/period/memory.md and gives the file format; privacy.md repeatedly states 'Local, encrypted, never shared' and 'Don't persist in memory — treat as ephemeral sensitive data.' There is no concrete mechanism described for encryption, key management, or how 'don't persist in memory' should be interpreted (agent runtime memory vs. the local file). This is an internal inconsistency: it claims data is encrypted and not persisted, yet provides a clear path to persist plaintext data. There are no instructions to transmit data externally, which is good.
Install Mechanism
Instruction-only skill with no install spec and no code files to execute. That minimizes on-disk install risk.
Credentials
The skill requests no credentials or environment variables (appropriate). It does, however, require the agent to write to a user home path (~/period/memory.md). Writing to the user's home directory is expected for a local tracker but is a privilege the user should consent to; no details are given about file permissions, backup behaviour, or encryption.
Persistence & Privilege
always:false and no elevated privileges requested. The skill persists data across runs in a file it owns, which is normal for this type of tool. Note: autonomous invocation is allowed by default on the platform (not flagged by itself).
What to consider before installing
This skill appears to be designed as a local, privacy-first period tracker and does not request credentials or network access — that's good. Before installing, ask the author to clarify two things: (1) What does 'encrypted' mean in practice? The SKILL.md shows a plaintext ~/period/memory.md format but does not describe any encryption or key storage; request exact encryption steps and where keys live (if any). (2) What does 'Don't persist in memory' mean? Confirm whether sensitive entries are prevented from being stored in the broader agent/platform conversation history (not just the local file). Also confirm file permissions, whether backups (OS or cloud) might include ~/period/memory.md, and how one-tap deletion is implemented and verified. If the author provides explicit, auditable encryption and key-handling instructions (or an option to store only ephemeral data), and confirms the platform will not log or back up the file, this assessment would likely move to benign. If those clarifications are not forthcoming, treat the skill as risky for highly sensitive health data.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dstzp2qjtfpbpctjqa435hs816yt7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments