ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

self-track

v1.0.0

Sig Botti's self-improvement tracking system. Use when (1) learning something new, (2) noticing a gap in capabilities, (3) completing a self-improvement task...

0· 42·0 current·0 all-time
byluke@louch84
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated purpose is personal self-tracking (gaps, lessons, weekly reviews). The instructions go beyond that by referencing: (1) Ollama/nomic embedding usage, (2) python scripts (scripts/ollama_mem.py) that are not included, and (3) an openclaw skill-creator script under /usr/local/lib/node_modules/... which would create skills on the host. These referenced capabilities are not declared in the manifest (no dependencies, no env vars) and some (skill creation) are not necessary solely for tracking progress.
!
Instruction Scope
Runtime instructions tell the agent/user to read and write files under memory/, run local python scripts, call an embedding backend (Ollama/nomic), and run openclaw CLI commands (openclaw cron list). The SKILL.md assumes presence of specific scripts and system paths that are not provided and could cause the agent to attempt filesystem or network actions outside the simple tracking purpose.
Install Mechanism
This is instruction-only with no install spec and no code files included. That lowers installation risk (nothing will be automatically downloaded or written by an installer).
Credentials
The manifest declares no required environment variables or credentials, but the instructions reference an embedding stack (Ollama/nomic) which in some setups may require configuration or credentials. The SKILL.md also references python3 and openclaw tooling but doesn't declare them as requirements. The absence of declared env/dependency requirements is a mismatch with the instructions.
Persistence & Privilege
The skill does not set always:true and requests no declared persistent privileges. However, the instructions guide the user/agent to run a skill-creator script in /usr/local/lib/node_modules and to commit files (write to skills/ and memory/). That implies filesystem writes and potential creation of new skills, which expands the effective write scope beyond mere note-taking—this should be considered before granting execution rights.
What to consider before installing
This skill is mostly a set of personal workflow instructions, but it refers to local scripts and tools that are not included or declared. Before using or allowing an agent to run these steps: (1) verify that the referenced scripts exist and inspect their contents (scripts/ollama_mem.py, the openclaw skill-creator script) — do not run unknown scripts; (2) ensure you understand where vector/embedding data would be sent (Ollama/nomic) and whether any API keys or external services are involved; (3) be cautious about running commands that write into system paths (e.g., /usr/local/lib/node_modules) or that auto-create skills—these can modify your environment; (4) if you want to install or use this skill, ask the author to include missing scripts or to explicitly declare required binaries and environment variables so you can audit them. If you need a safer evaluation, provide the missing scripts or a clearer dependency list so this assessment can be upgraded.

Like a lobster shell, security has layers — review code before you run it.

latestvk97abgzwj7t4byszyje6m9t15n83ptps

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments