ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Connection Tracker

v1.0.0

自动追踪并可视化记录人场、物场及Memory连接,评估连接价值,生成日报周报,帮助避免资源浪费。

0· 60·1 current·1 all-time
by@largetool
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
SKILL.md claims automatic tracking of Zhihu/Twitter/GitHub interactions and auto-recording on Memory writes and scheduled daily/weekly generation. The included code (handler.js) only implements a local CLI and file-based reporting (reads/writes under ~/.openclaw/workspace) and has no network integrations, webhooks, file watchers, or connectors to those platforms. The skill therefore overstates its capabilities.
!
Instruction Scope
Runtime instructions tell the agent to auto-trigger on external events, but neither SKILL.md nor handler.js provide steps or code to subscribe to platform APIs, webhooks, or to watch MEMORY.md. The SKILL.md also promises it will 'not track sensitive info', but the code will persist whatever fields are passed to addConnection without redaction or validation—so privacy guarantees are only declarative, not enforced.
Install Mechanism
No install spec or remote downloads; the skill is instruction-only plus a local handler.js file. No external packages or networked installs are performed by the skill itself, and code only uses standard fs/path modules to write files under the user's HOME directory.
Credentials
The code uses only process.env.HOME to determine a workspace path; no credentials, API keys, or unrelated environment variables are requested. This is proportionate to the file-based tracking purpose.
Persistence & Privilege
always is false; the skill writes files under ~/.openclaw/workspace which is expected for a local tracker. It does not modify other skills or system-wide settings and does not request persistent elevated privileges.
What to consider before installing
This skill's code is local and low-risk in terms of network exfiltration, but the README overpromises capabilities. Before installing: (1) Confirm how 'automatic' triggers will be provided—ask the author for concrete integration code (webhooks, platform connectors, or filesystem watchers). (2) If you plan to wire external services, avoid putting API keys or private data into connection fields—the code will store whatever you pass. (3) If you need automatic scheduling, set up your own cron/jobs as SKILL.md suggests; the code does not install cron jobs. (4) If you want the privacy guarantees enforced, request or add input validation/redaction logic before writes. If these clarifications are not provided, treat the skill as a manual/local tracker only and do not rely on its claimed automated integrations.

Like a lobster shell, security has layers — review code before you run it.

latestvk9753433mbfp70xxksh7xey1t183xa19

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments