Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
全息人生实验场
v1.0.5人生全息实验场(life-mirror):基于人类关系实验的智能生命觉知助手——以关系为核心场景、以自我认知为成长路径,融合学者/智者/密友三角色与「本我·实我·平行我·真我」四层觉知框架,支持亲友、友情、爱情、职场等社会关系中的冲突梳理与选择;通过多平台个人数据自动同步、历史记忆存储、每日画像更新实现精准认知,...
⭐ 0· 86·0 current·0 all-time
by@lldfjq
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (personal companion that syncs multi‑platform personal data, stores history, and sends reports) matches the instructions: reading/writing local storage files, incremental platform sync, generating reports, and scheduled pushes. There are no unrelated required env vars or external installers.
Instruction Scope
The SKILL.md explicitly instructs the agent to read and write files in a configurable local storage directory, launch the local browser (prefer Edge) for user platform authorization, and proactively ask users to authorize platforms on cold start. These behaviors are within scope for a data‑synchronizing life assistant but are privacy‑sensitive and worth user awareness before enabling (the skill mandates reading storage files before each reply and writing new facts/inferences).
Install Mechanism
Instruction-only skill with no install spec and no third‑party downloads or packages. This lowers supply‑chain risk; nothing is written to disk by an installer beyond the described read/write of the configured storage directory at runtime.
Credentials
No environment variables, binaries, or external credentials are requested. The only configuration required is a local storage directory (default provided in core/config.yaml). Requesting filesystem access and scheduler integration is proportionate to the stated functionality of persisting memories and scheduling pushes.
Persistence & Privilege
The skill auto-registers recurring tasks (hourly sync, weekly/monthly reports, daily profile update) when it starts and pushes to the agent's bound communication channels. This persistent behavior is coherent with a companion that does periodic syncs and proactive pushes, but users should be aware it will add scheduled jobs and send messages unless configured otherwise.
Assessment
This skill is internally consistent with its stated purpose, but it performs privacy‑sensitive actions you should understand before enabling: it will read and write files in the configured local storage directory (core/config.yaml -> storage.directory), automatically add scheduled jobs (cron-style) to the agent scheduler, and attempt to launch your local browser (Edge preferred) to obtain platform authorizations. Review and change core/config.yaml (storage.directory, privacy.allow_local_storage, push settings) to a safe path you control; confirm the agent/host (e.g., QClaw) is trusted; decide whether you want the skill to auto-register scheduled tasks and proactively push messages to bound channels; and avoid storing highly sensitive identifiers unless you accept local storage. The README includes external contact handles (WeChat) — treat those as optional and not required for function. If you need higher assurance, request an installable version with explicit code to review or test in a sandboxed environment first.Like a lobster shell, security has layers — review code before you run it.
latestvk974xgbbfb0j2xvtq6deha9ejn84nw60
License
MIT-0
Free to use, modify, and redistribute. No attribution required.