Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Synclaw
v0.1.0Use this skill when the user wants to find compatible people based on deep psychological profiling. Triggers on "find my match", "find me a partner", "who am...
⭐ 0· 60·0 current·0 all-time
byLifegamer@ivankoriako
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (compatibility matching) is plausible, but the SKILL.md says the agent will build a 'deep psychological profile from your LLM conversation history' and 'send the profile to the SynClaw server' while the registry shows no network endpoints, no required credentials, and no install payload. Requiring access to full conversation history and an external matching server are not justified by the absence of any declared endpoints/credentials — mismatch between claimed behavior and declared requirements.
Instruction Scope
Runtime instructions explicitly direct the agent to read LLM conversation history (sensitive personal data) and to send the derived profile to a remote server. The SKILL.md provides no server endpoint, no authentication details, and no privacy/consent guidance. It also contains a direct contradiction ('profile is sent to the SynClaw server' vs 'Your data stays local. Always'). This is scope creep and a privacy risk.
Install Mechanism
The skill is instruction-only with no install spec or code (lowest technical installation risk). However, the README suggests installation via 'clawhub install synclaw' despite there being no declared install manifest — this is misleading and should be clarified by the publisher.
Credentials
Registry metadata lists no required env vars/credentials, but the instructions imply network communication with an external SynClaw service. That external communication typically requires endpoints and credentials or at least a privacy policy; the absence of these is disproportionate and inconsistent with the stated actions. The agent would also need access to conversation history, which is sensitive and not declared in requirements.
Persistence & Privilege
Flags show no elevated persistence (always: false) and normal autonomous invocation. The skill does not request persistent system changes in the manifest. Nonetheless, its runtime instructions would require the agent to read and possibly transmit sensitive local conversation data — a privacy/privilege concern even without persistent installation.
What to consider before installing
Do not install or enable this skill until the publisher clarifies key details. Ask for: (1) exact data flow — the server URL(s) and what is sent; (2) authentication and who controls the server; (3) a privacy policy and retention/deletion rules; (4) whether the skill truly requires access to your conversation history and explicit consent mechanisms; (5) an install manifest or source code you can audit. The SKILL.md currently contradicts itself (claims data stays local but also sends profiles to a server) and omits endpoints/credentials — this is a privacy risk. If you must try it, test with synthetic/non-sensitive data only and require explicit opt-in before any real conversation history or personal data is transmitted.Like a lobster shell, security has layers — review code before you run it.
latestvk97eeeq1w9nazpe45tb31cjfjd8393k8
License
MIT-0
Free to use, modify, and redistribute. No attribution required.