Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Cyber Growth
v1.0.0赛博朋克 × EVA 风格的成长追踪系统。支持两种模式:(1) 自动化模式 — Agent 在对话结束时调用 accumulate.sh 积累事件,每天 24:00 nightly.sh 自动结算,每天 9:00 morning-report.sh 发送晨间报告;(2) 手动模式 — 直接调用 grow.sh r...
⭐ 0· 275·1 current·1 all-time
bySyfy@m17y
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
Name/description (a local 'growth tracking' tool) matches the files and scripts provided: local JSON/JSONL storage, reporting, and optional Feishu sync. No unexpected external services are required by default.
Instruction Scope
SKILL.md instructs the Agent to autonomously call accumulate.sh at the end of conversations ('不需要等用户询问,Agent 主动记录'), which grants broad discretion to record dialogue-derived strings. Accumulated events are appended locally, which fits the purpose, but automatic and unsupervised logging of arbitrary conversation content is privacy-sensitive and increases attack surface when combined with other issues (see environment/proportionality and install_mechanism).
Install Mechanism
Instruction-only with bundled scripts — no installer or remote downloads. Scripts are stored under the skill directory and only run when invoked. This is low-risk from supply-chain/install perspective.
Credentials
No environment variables or external credentials are required by default. Optional Feishu sync exists and is configured by writing tokens into the local data file; that is proportionate but should be treated as an explicit opt-in. The skill writes to $HOME/.openclaw/memory which is expected for a local tracker.
Persistence & Privilege
always:false (good). However SKILL.md explicitly asks Agents to autonomously record events during conversations and suggests cron/heartbeat automation for nightly/morning runs. Autonomous recording + scheduled processing increases risk if not opt-in or rate-limited; combined with a code-injection vulnerability in the scripts, this is particularly hazardous.
What to consider before installing
This skill is largely what it says: a local growth tracker that appends events to files and generates reports. However, do NOT enable automatic agent-driven recording or cron processing until you address a critical flaw: grow.sh embeds user-supplied description strings directly into python3 -c code without escaping, which can allow arbitrary code execution if an attacker or malicious input supplies a crafted description. If you still want to use it, take these precautions: (1) run only in a sandboxed environment or throwaway account; (2) disable automatic/agent-initiated recording and require manual calls; (3) do not configure Feishu sync (or any external sync) unless you trust and have reviewed the sync implementation; (4) patch grow.sh to avoid interpolating unescaped strings into python -c (use a safe JSON writer, pass data via stdin or use a dedicated JSON library call that reads from a file or stdin); (5) inspect sync_to_feishu and any network-calling code before providing tokens. Because of the unsanitized Python interpolation plus the automatic-recording guidance, treat this skill as suspicious until remediated.Like a lobster shell, security has layers — review code before you run it.
latestvk9740xx8s5ct764v640ek7naeh82d2ye
License
MIT-0
Free to use, modify, and redistribute. No attribution required.