ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Inventory Reorder Calculator

v1.1.0

Estimate ecommerce reorder timing and quantity using demand, lead time, and safety stock assumptions so teams can set reorder points and reduce stockout risk...

0· 387·0 current·0 all-time
byLeroyCreates@leooooooow
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name, description, and all included documents consistently implement an inventory reorder calculator workflow (demand analysis, lead‑time modeling, safety stock, ROP, quantity constraints). There are no unexpected binaries, environment variables, or credentials requested.
Instruction Scope
Instructions are narrowly scoped to inventory inputs, formulas, and reporting templates and do not ask the agent to read system files, credentials, or external endpoints. However, the SKILL.md contains unicode-control characters flagged as potential prompt-injection; these could be used to manipulate model behavior or the evaluation process and should be inspected and removed if unintended.
Install Mechanism
This is an instruction-only skill with no install spec and no code files — nothing will be written to disk or executed by an installer. That minimizes technical installation risk.
Credentials
The skill requires no environment variables, credentials, or config paths. The inputs it requests are business/inventory data (sales, lead times, costs), which align with the described purpose.
Persistence & Privilege
Flags show always:false and no system modification instructions. The skill does not request permanent presence or elevated privileges. Note that model invocation is allowed (default), so the agent could call the skill autonomously — normal behavior but worth considering in combination with the prompt-injection signal.
Scan Findings in Context
[unicode-control-chars] unexpected: The content scanner detected unicode control characters in SKILL.md. These characters are not expected for an inventory-calculation guide and can be used to hide or alter instructions seen by models or renderers (e.g., zero‑width spaces, directionality overrides). This finding is worth manual inspection; it does not by itself prove malicious intent but does increase risk.
What to consider before installing
This skill appears to do what it says (reorder calculations) and requests no credentials, which is good. Before installing or enabling it: 1) Inspect the raw SKILL.md in a plain text editor and remove any invisible/unexpected unicode control characters (zero-width spaces, bidi overrides, etc.). 2) If you let an agent call skills autonomously, consider enabling audit/logging or requiring user confirmation for actions that would trigger real orders. 3) Run the skill on a safe sample SKU (no real POs) to verify outputs match expectations. 4) If you see any suspicious or opaque instruction after removing control characters, treat the skill as untrusted and do not use it for production purchasing decisions. If you can provide the raw bytes or a diff showing which control characters were found, I can re-evaluate and raise confidence.

Like a lobster shell, security has layers — review code before you run it.

latestvk976snhbnhyp8a1vzcrrqjvxwd83xd8g

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments