ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Study Buddy

v1.2.0

Interactive study assistant that creates flashcards, quizzes, and spaced repetition reviews from any source material (notes, PDFs, photos, text, URLs). Use w...

0· 127·0 current·0 all-time
byJoe@keepfit44
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description promise: extract from PDFs, photos, URLs, detect language, and process a variety of inputs. Actual requirements and code: only python3 is required and the repository includes a deck_manager.py that only creates/manages JSON decks and scheduling. There is no code that performs web fetching, PDF parsing, OCR, or language detection. This mismatch means either the LLM is expected to do extraction or the skill is incomplete.
!
Instruction Scope
SKILL.md instructs the agent to 'Extract and analyze the content' from URLs, PDFs, photos and to 'fetch content' per references/guidelines.md, but the provided runtime code does not implement fetching/OCR/parsing. The instructions are somewhat open-ended about how to obtain and process inputs (implies network access and file parsing may be needed). The skill also stores decks under ~/.openclaw/study-buddy/decks (clear and expected), but there is no explicit guidance about handling sensitive content.
Install Mechanism
No install spec (instruction-only) and only python3 is required. Nothing is downloaded or written beyond the provided script; low installation risk.
Credentials
No environment variables, credentials, or external config paths are requested. Storage location is local (~/.openclaw/study-buddy/decks) which is proportionate for a flashcard manager.
Persistence & Privilege
Skill is not always-enabled and does not request elevated privileges. It writes its own deck files under a user-local path, which is expected for this purpose.
What to consider before installing
What to consider before installing: - The skill promises automatic extraction from URLs, PDFs, and photos, but the included code only manages flashcard decks locally. Expect the agent to either ask you to paste text or rely on the language model to extract/interpret content rather than running OCR or fetching pages itself. If you need automatic PDF/URL/photo processing, ask the developer for explicit code (e.g., use of requests, pdfminer/pypdf, pytesseract) or a clear statement that the model will not fetch/process files. - Decks are stored unencrypted as JSON under ~/.openclaw/study-buddy/decks. Do not store sensitive personal data or secrets in cards unless you accept local plaintext storage. - The skill requires only python3 and no credentials, which is good. Still be cautious about supplying URLs or uploads — the agent might fetch or summarize external pages depending on its runtime environment and network permissions. - If you want to trust this skill more: request the author to include or document the extraction pipeline (which libraries are used, whether network access is required, and how uploaded images/PDFs are processed) and to provide tests or a README describing how external inputs are handled. If the missing capabilities are acceptable (you will paste text yourself), the deck manager appears straightforward and low-risk.

Like a lobster shell, security has layers — review code before you run it.

educationvk97d0rqfz0jk1rp01r1fmb832183bhrpflashcardsvk97d0rqfz0jk1rp01r1fmb832183bhrplatestvk97d0rqfz0jk1rp01r1fmb832183bhrpquizvk97d0rqfz0jk1rp01r1fmb832183bhrpspaced-repetitionvk97d0rqfz0jk1rp01r1fmb832183bhrpstudyvk97d0rqfz0jk1rp01r1fmb832183bhrp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📚 Clawdis
Binspython3

Comments