Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Sleep Tracker
v1.0.0睡眠改善工具。睡眠分析、改善建议、作息规划、睡眠环境优化、小睡指南、睡眠日记。Sleep tracker with analysis, improvement tips, schedule planning, environment optimization, nap guide.
⭐ 0· 18·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (sleep tracking, tips, journaling) aligns with included CLI design and two Bash scripts. The scripts implement logging, tips, analysis, reminders, export and history — all consistent with the stated purpose. No unrelated cloud or remote-service credentials are requested.
Instruction Scope
SKILL.md instructs only local CLI use and optionally reading SLEEP_TRACKER_DIR. The scripts create and write to a local data directory (~/.local/share/sleep-tracker or XDG_DATA_HOME override) and /tmp/sleep_journal.txt, and log command history. That is expected, but storing user text (notes, journal entries) to plain text files means sensitive content could be written to disk. I could not review the entire body of scripts because the provided sleep.sh content in the listing is truncated; the visible portions show no network calls, but the unseen tail could change that.
Install Mechanism
No install spec is provided (instruction-only install) — lowest risk for remote code fetch. The package simply includes Bash scripts. No downloads from arbitrary URLs or package manager installs are declared.
Credentials
No required environment variables or credentials are declared. The skill optionally respects SLEEP_TRACKER_DIR/XDG_DATA_HOME for storage location — reasonable for a CLI data-writing tool. No other env vars are accessed in SKILL.md or the visible script excerpts.
Persistence & Privilege
always is false and the skill does not request elevated or persistent platform privileges. It writes to its own data directory and /tmp; it does not appear to modify other skills or global agent configuration based on the visible content.
What to consider before installing
The package appears coherent and mostly local: it stores logs in ~/.local/share/sleep-tracker (or SLEEP_TRACKER_DIR) and /tmp, and uses plain Bash. Before installing or running: 1) Inspect the full scripts locally (the provided sleep.sh was truncated in the listing) to confirm there are no network calls, credential reads, or commands like curl/wget/ssh/exfiltration. 2) Be aware your entries and command history are stored in plain text (data.log, history.log, /tmp/sleep_journal.txt) — avoid putting secrets there or set SLEEP_TRACKER_DIR to an encrypted/controlled location. 3) Run first in a sandboxed environment if you want to be extra cautious. 4) If you plan to export or share data, remember exports go to stdout and could leak sensitive notes. If you can provide the full sleep.sh content I can re-evaluate and raise confidence.Like a lobster shell, security has layers — review code before you run it.
latestvk97acdrfgzq7f5jp8ypsqdhzt58495f5
License
MIT-0
Free to use, modify, and redistribute. No attribution required.