ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

momo

v0.1.0

Momo namespace for Netsnek e.U. time tracking and invoicing tool for freelancers. Logs work hours, generates timesheets, creates invoices, and tracks payments.

0· 584·0 current·0 all-time
by@kleberbaum
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description advertise logging hours, generating timesheets, creating PDF invoices, and tracking payments. The package contains a tiny shell script that only parses flags and prints mode messages; there is no implementation of data storage, reports, PDF generation, emailing, or payment tracking. The declared capabilities are disproportionate to the actual code.
Instruction Scope
SKILL.md instructs the agent/user to run scripts/timesheet.sh with --log/--report/--invoice and gives examples that imply full functionality. The runtime instructions do not direct the agent to read unrelated system files or credentials. However, the instructions assume features (PDF generation, invoice status tracking) that are not implemented by the provided script, which is an inconsistency rather than an explicit malicious action.
Install Mechanism
No install spec is present (instruction-only with a small included script). This is low-risk from an installation perspective — nothing is downloaded or written to system paths by an installer.
Credentials
The skill does not request any environment variables, credentials, or config paths. There is no apparent need for secrets or external service access in the provided code. The lack of requested credentials is proportionate to the actual (minimal) implementation.
Persistence & Privilege
The skill is not marked always:true, does not request elevated privileges, and does not modify other skills or system configuration. The only permission is 'exec' to run the included script; the script itself performs no persistent changes.
What to consider before installing
This package appears to be a stub: it promises full time-tracking and invoicing features (PDF generation, payment tracking) but the only included script just echoes modes and does not store or send data. If you expected a working invoicing tool, do not rely on this release — ask the publisher for a full implementation or source for the invoice/reporting code. From a security standpoint the current contents are low-risk, but avoid giving it access to your real data until it actually implements storage, export, or external network calls. If you install or test it, run it in an isolated environment and inspect any future code updates for network calls, file writes, or credential usage before trusting it with client data.

Like a lobster shell, security has layers — review code before you run it.

latestvk975pe2c8hfewexdbcnn3mz0ah81d0yq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

OSLinux

Comments