Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Receipt Logger
v1.0.0Create tamper-proof, append-only, cryptographically signed logs of agent actions with exportable, verifiable JSON receipts.
⭐ 0· 111·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims a CLI 'receipt-logger' and a receipts/ storage directory (and config.json lists entry:'receipt-logger', runtime:'shell'), but no executable or script is included and there is no install spec. The stated capabilities (HMAC signatures, chaining receipts) would legitimately require either a shipped script or a clear install step and access to signing keys; those are missing.
Instruction Scope
SKILL.md instructs the agent to run CLI commands (log/list/verify/export) and to produce HMAC-based signatures and chained hashes, but it does not explain how the signing key is created, stored, or protected, nor does it list required system binaries (openssl/sha256sum) or file-permission rules. The instructions are therefore underspecified and grant broad discretion without safe defaults.
Install Mechanism
There is no install spec (instruction-only) which normally lowers risk, but here that's a problem: config.json points to a shell entrypoint that doesn't exist in the bundle. That mismatch is an incoherence (claims to install/run a CLI but provides no code or installation path).
Credentials
The skill advertises cryptographic signing (HMAC) but declares no environment variables, no primary credential, and no key file path. HMAC requires a secret key; absence of any declared mechanism for key management is disproportionate and ambiguous (risk of insecure default keys, accidental key exposure, or missing functionality).
Persistence & Privilege
The skill does not request always:true, elevated privileges, or special config paths. It is user-invocable and allows autonomous invocation (platform default). Those defaults are normal and not by themselves concerning.
Scan Findings in Context
[no_code_files] unexpected: The static scanner found no analyzable code. SKILL.md and config.json reference a 'receipt-logger' shell entrypoint and a receipts/ storage directory, but no implementation is bundled. For this purpose, code is expected but missing.
What to consider before installing
Don't install or enable this skill yet. Ask the publisher to provide the actual 'receipt-logger' script or a clear install mechanism, and answers to these: (1) Where and how is the HMAC signing key generated, stored, and rotated? (2) Is signing HMAC (symmetric) deliberate, or should it use asymmetric signing for non-repudiation? (3) What system binaries or dependencies are required (openssl, sha256sum, jq, etc.)? (4) Where are receipts stored and what filesystem permissions are recommended? (5) Does the CLI ever transmit receipts off-host or call any network endpoints? Require a code review of the CLI before use; if you proceed, run it in a sandboxed environment, ensure the signing key is provided from a secure secret store (not left as a hardcoded/default), and verify offline signature validation with a known-good verifier.Like a lobster shell, security has layers — review code before you run it.
auditvk976078cdc7abxw2mbrmy1d9qs833nrclatestvk976078cdc7abxw2mbrmy1d9qs833nrcloggingvk976078cdc7abxw2mbrmy1d9qs833nrcmemoryvk976078cdc7abxw2mbrmy1d9qs833nrcreceiptvk976078cdc7abxw2mbrmy1d9qs833nrctrustvk976078cdc7abxw2mbrmy1d9qs833nrc
License
MIT-0
Free to use, modify, and redistribute. No attribution required.