Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Deepsynclaw
v0.1.0Use this skill when the user wants to find compatible people based on deep psychological profiling. Triggers on "find my match", "find me a partner", "who am...
⭐ 0· 63·0 current·0 all-time
byLifegamer@ivankoriako
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (psychological compatibility matching) matches the instructions' intent to build a profile and perform matching, but the SKILL.md states the profile will be sent to a remote "DeepSynClaw server" while also claiming "Your data stays local. Always." There is no server endpoint, no homepage, and no declared credentials—incoherent for a networked matching service.
Instruction Scope
Instructions tell the agent to build a deep psychological profile from LLM conversation history (sensitive personal data) and to send it to a server for matching, but give no details about where, how, or what safeguards/consent are required. There are no limits on what conversation history to include, no handling rules for PII, and no explicit user consent flow—this grants the agent broad discretion with sensitive data.
Install Mechanism
This is instruction-only with no install spec or downloads, which reduces risk from arbitrary code installation. The README's example 'clawhub install deepsynclaw' is inconsistent with the registry (no install spec) but not itself an install action in the package.
Credentials
No environment variables or credentials are declared despite the stated flow involving a remote server. A networked matching service would normally require an endpoint and likely API credentials; the omission is unexplained and disproportionate relative to the sensitivity of the data being transmitted.
Persistence & Privilege
Skill is not always-enabled and is user-invocable; it does not request elevated persistence or system-wide configuration. Autonomous invocation is allowed by default but not unusual and is not by itself flagged.
What to consider before installing
This skill is internally inconsistent and currently incomplete. It says it will send a "psychological profile" (highly sensitive personal data) to a remote server yet also claims data stays local, and it provides no server endpoint, privacy policy, or credentials. Before installing or using it you should: (1) ask the author for the exact server endpoint and privacy/security policy, (2) insist on a clear data-handling and consent flow describing what conversation history will be used and how PII is protected or anonymized, (3) verify whether any API keys or authentication are required and why those aren’t declared, (4) confirm the skill's source code or a trustworthy homepage and author identity, and (5) avoid sending real personal data or contacts until these questions are answered. Because the skill is marked "coming soon" and lacks implementation details, prefer not to enable it until the above concerns are resolved.Like a lobster shell, security has layers — review code before you run it.
latestvk976s6y0z43yy4zs03j2axfcxs8391p5
License
MIT-0
Free to use, modify, and redistribute. No attribution required.