ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Reminder

v1.0.0

Reminder and scheduling skill. Set one-time or recurring reminders, manage tasks, and send notifications.

0· 71·0 current·0 all-time
by@jpengcheng523-netizen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The description promises multi-channel notifications (push, email, message) and scheduling features, but the skill declares no environment variables, credentials, or integration details needed to send emails or push messages. That capability does not match the declared requirements.
!
Instruction Scope
SKILL.md instructs running python3 scripts/reminder.py with add/list/delete/complete subcommands and states reminders persist to ~/.openclaw/reminders.json. The skill bundle contains no scripts or code—so these instructions would cause the agent to attempt to run local, user-side commands or assume external tooling exists. That creates ambiguity and potential for unexpected local command execution.
Install Mechanism
No install specification and no code files are included (instruction-only). This minimizes supply-chain install risk, but also means the skill expects external/local tools to provide functionality.
!
Credentials
No env vars or credentials are requested even though the skill claims multi-channel delivery (email/push/messages) which normally requires API keys, SMTP credentials, or push-service tokens. The absence of declared credentials is disproportionate to the advertised features.
Persistence & Privilege
The skill states it persists reminders to ~/.openclaw/reminders.json. Persisting data in the user's home directory is expected for a reminder tool, but it is persistent storage that will survive restarts and may contain personal data—users should be aware of where data is stored.
What to consider before installing
This skill is instruction-only: it tells the agent to run a local Python script (scripts/reminder.py) and to store reminders in ~/.openclaw/reminders.json, but the skill bundle includes no code or any credentials for sending email/push messages. Before installing or invoking it, verify whether you already have the referenced scripts/tools on your system and inspect them (scripts/reminder.py) — do not run unknown scripts. Ask the publisher how email/push notifications are implemented and where credentials should be provided. If you don't want the agent to run local commands or create files in your home directory, do not install. If you proceed, consider running in a sandbox or backing up/removing ~/.openclaw before first use.

Like a lobster shell, security has layers — review code before you run it.

latestvk976e81jxx1tdcy2wn64b3sycn83g7qb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments