Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Travel Tracker
v1.0.0管理和统计工作/生活外出记录,生成 Excel 报表,同步到 Obsidian。 Use when: 查询外出记录、统计外出次数、生成外出 Excel 报表、同步外出数据到 Obsidian、自动从日历提取外出、设置外出提醒。Triggers: "外出统计", "外出记录", "travel report", "...
⭐ 0· 35·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The declared purpose (manage travel records, generate Excel, sync to Obsidian, extract from calendar) aligns with the commands shown, but the skill provides no code or install step. It expects a specific set of local scripts in ~/.openclaw/workspace/scripts; that requirement is not documented in metadata and is unlikely to exist on a fresh system. This reliance on user-local scripts is surprising and makes the skill unusable without external files.
Instruction Scope
The SKILL.md instructs the agent to execute multiple absolute-path shell and Python scripts in the user's home (~/.openclaw/workspace/scripts/*). Those scripts (if present) could read/write calendars, files in ~/Documents/obsidiansave/, exports/, memory/, and perform arbitrary actions. The instructions do not include existence checks, safety constraints, or any indication of what data will be read/transmitted, nor do they describe how calendar access or Obsidian sync is performed.
Install Mechanism
There is no install spec (instruction-only). That reduces the risk of the skill adding files itself, but it also means the skill depends on external artifacts that are not provided. The absence of an install step is coherent with being instruction-only but amplifies the concern that running the skill will attempt to execute arbitrary local scripts.
Credentials
The skill declares no required environment variables or credentials, which is proportionate. However the instructions imply access to Apple Calendar and to the user's filesystem (Obsidian path, exports, memory). Those accesses are not declared or explained, so the skill will implicitly rely on the agent's ability to access local calendars and filesystems — this should be verified before use.
Persistence & Privilege
The skill does not request always:true or any special persistent privileges. It is user-invocable and will not be force-attached to all agents. No install-time writes are declared.
Scan Findings in Context
[no-findings] expected: The regex scanner found no code to analyze because this is an instruction-only skill (only SKILL.md). No automated findings to contextualize.
What to consider before installing
This skill will try to run a set of local scripts under ~/.openclaw/workspace/scripts and read/write files in ~/Documents/obsidiansave/, exports/, and memory/. Before installing or invoking it: (1) confirm those scripts actually exist and inspect their contents — do not run them if you don't trust them; (2) verify how calendar extraction works and whether it accesses your Apple Calendar API or local calendar files; (3) ensure the Obsidian path is correct and you are comfortable with files being written there; (4) if you want this skill to be safe, ask the publisher for the missing scripts or an install manifest, or run it in a sandboxed environment; (5) avoid invoking it with elevated privileges and consider backing up affected directories first.Like a lobster shell, security has layers — review code before you run it.
latestvk976dm62n0913yrgmag6p9nep984n0rf
License
MIT-0
Free to use, modify, and redistribute. No attribution required.