Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Longevity OS
v0.1.1Meta-skill for the Longevity OS bundle that routes natural language health conversations to the right capability — nutrition logging, health profile, pattern...
⭐ 0· 105·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The description promises a multi-skill 'Longevity OS' bundle (snap, health, news, insights, daily-coach) but the package contains only an instruction file (SKILL.md) and README.md. The runtime instructions repeatedly reference scripts/, skills/, docs/install.md, seed/, and other files that are not included in the published skill. Requiring no env vars or binaries is inconsistent with an installer that expects to run Python install scripts and configure cron/Telegram integration.
Instruction Scope
SKILL.md tells the agent/user to clone the GitHub repo, run python3 scripts/install_bundle.py (with verify), copy seed data, edit cron templates (including inserting a Telegram DM chat id), and inspect local OpenClaw config (~/.openclaw/openclaw.json). Those actions involve downloading and executing code from a remote repo and reading/writing local config and cron entries. Many referenced files (docs/install.md, skills/*, scripts/*, seed/*) are not present in the packaged skill, so following the instructions would require fetching external content and running it locally.
Install Mechanism
There is no explicit install spec in the registry (instruction-only), which is lower technical risk for the package itself. However, the instructions direct the user to clone and run code from the GitHub repo (python3 scripts/install_bundle.py). That implies executing remotely-hosted code not shipped in the skill — a higher-risk install path if the external repo or scripts are unreviewed.
Credentials
The skill declares no required env vars or credentials, yet the instructions expect access to local OpenClaw config (~/.openclaw/openclaw.json), cron, and Telegram DM configuration (chat id). It also asks the user to seed local data directories and register extra skills paths. Reading/writing those local configs and scheduling cron jobs are reasonable for an installer, but the skill did not declare them and the actual scripts that would perform them are not present for review — this mismatch increases risk.
Persistence & Privilege
The skill is not marked always:true and doesn't attempt to modify other skills in its metadata. The instructions do ask the user to register the bundle with OpenClaw (skills.load.extraDirs) and to add cron jobs, which are expected for a bundle installer, but those operations would be performed by external scripts or manual steps, not by the packaged skill itself.
What to consider before installing
This package is instruction-only and references many files and scripts that are not included. Do not blindly run install commands from an unknown source. Before cloning or running anything: (1) inspect the remote GitHub repo contents (confirm scripts/, skills/, seed/, docs/) and open scripts/install_bundle.py to see exactly what it does; (2) review any installer or cron templates for network endpoints, uploads, or telemetry; (3) avoid running installers as root and run them in a sandbox or VM if possible; (4) verify that the repo maintainer is trustworthy and the repo content matches the bundle's claims; (5) if you want this skill to be installed, ask for the missing subskill files (skills/) or request that the publisher include the actual scripts in the package so you can review them locally before executing.Like a lobster shell, security has layers — review code before you run it.
latestvk976ctsnfx52erwv3hnbxktx5n837z49
License
MIT-0
Free to use, modify, and redistribute. No attribution required.