Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
whoami
v1.0.2Cross-AI user identity profile sync service. When you need user's background, preferences, or personal context to better execute a task, invoke this skill to...
⭐ 0· 319·0 current·1 all-time
byMorvan@morvanzhou
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (user identity profile sync) align with the included script and SKILL.md: the skill reads/writes a Markdown profile to a remote service and stores a local config at ~/.whoamiagent. No unrelated binaries or credentials are requested in the files.
Instruction Scope
SKILL.md and the script instruct the agent to auto-open a browser for login and to curl a user-provided one-time configuration URL and save its contents directly to ~/.whoamiagent. The agent is instructed to upload profile content to the remote API (POST /api/profile). These behaviors are coherent with the stated purpose but carry privacy risk: user profile data (potentially sensitive) will be transmitted to an external service, and the agent is told to write a config file fetched from an external URL without local validation.
Install Mechanism
No install spec and no external binary downloads — the skill is instruction+script only. Execution uses the system python3 interpreter, which is proportionate to the task.
Credentials
The runtime requires an API key stored in ~/.whoamiagent (WHOAMI_API_KEY), but the registry metadata lists no primary credential or required env vars — a mismatch. The script also respects WHOAMI_ENDPOINT and WHOAMI_FRONTEND_URL environment variables (which can redirect traffic to arbitrary hosts), but these are not declared in metadata. The skill will transmit user profile content to an external endpoint, so requiring and documenting the API credential in the registry would be expected but is missing.
Persistence & Privilege
The skill does not request always:true or other elevated platform privileges. It writes/reads a config file in the user's home (~/.whoamiagent) and may delete temp files created during updates; this behavior is consistent with its functionality.
What to consider before installing
Before installing or enabling this skill, consider: 1) The skill stores and uploads a personal profile to a remote service (default https://whoamiagent.com). Only use it if you trust that service and its privacy policy. 2) The skill requires an API key saved to ~/.whoamiagent (WHOAMI_API_KEY), but the registry metadata did not declare this credential — verify where that config comes from and inspect it before running. 3) The SKILL.md instructs using curl to download a one-time config URL and save it directly to your home config file; do not run those commands if you cannot verify the URL/source. 4) Environment variables (WHOAMI_ENDPOINT, WHOAMI_FRONTEND_URL) can redirect the skill to arbitrary endpoints — ensure these are unset or point to trusted hosts. 5) Avoid putting secrets or very sensitive personal data in the profile; the skill will POST profile content to a third-party API. 6) If you still want to try it, run the script in a controlled environment first (inspect ~/.whoamiagent after setup, test against a non-production endpoint, or sandbox it). If you want a safer alternative, request the skill author to add explicit registry metadata listing the required API key and to include an option to preview/validate any downloaded config before writing it to disk.Like a lobster shell, security has layers — review code before you run it.
latestvk97cn4601hmfd0rqp3meecc2rn826w6y
License
MIT-0
Free to use, modify, and redistribute. No attribution required.