ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Timeline

v1.0.0

Log dated events and facts to a queryable personal timeline. Use when the user wants to record something that happened (medical events, family moments, miles...

0· 26·0 current·0 all-time
by@levineam
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (personal event log) aligns with the delivered artifacts: an instruction document and a Bash script that logs, searches, and lists entries in a Timeline.md file. The required operations (date parsing, grep/ripgrep, sed) are coherent with the stated functionality.
Instruction Scope
Runtime instructions and the script only read/write the Timeline.md file and use local text tools (date, grep, sed). There is no network I/O, external endpoints, or attempts to read other system configs. Note: SKILL.md mentions possible integrations (briefings/heartbeat/medical folder) as future ideas, but these are not implemented.
Install Mechanism
This is an instruction-only skill with a small included bash script; there is no installer, no downloaded archives, and no package registry pulls. Risk from install mechanism is minimal.
!
Credentials
The script reads VAULT_PATH (falling back to a hardcoded default '/Users/andrew/Documents/Vault v3') but the skill declares no required environment variables. The use of an undeclared VAULT_PATH and a hardcoded default user directory is an inconsistency the user should be aware of: the script will create/modify files in that path by default. No credentials are requested.
Persistence & Privilege
The skill is not always-enabled and does not modify other skills or system-wide settings. It writes a local Timeline.md file (expected for its purpose) but does not request persistent elevated privileges.
Assessment
This skill appears to do what it says: it creates and edits a local Timeline.md in a vault folder. Before installing, review and consider: (1) the script uses VAULT_PATH but the skill doesn't declare it — set VAULT_PATH explicitly to a directory you control so it doesn't default to /Users/andrew/Documents/Vault v3; (2) the script will create and write Timeline.md in that folder, so avoid pointing it at any sensitive system directory or shared repo; (3) there is no network activity in the code, but you should still inspect the script yourself or run it in a safe environment to confirm; (4) back up any existing Timeline.md before first run; and (5) if you plan to enable autonomous agent invocation, be mindful that the skill can create or modify local files (store private health/family info) — limit access accordingly.

Like a lobster shell, security has layers — review code before you run it.

latestvk9790s8aszcnb8f1yc0tppy2ad84622e

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments