Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Nudge CLI
v1.1.0How to use the nudge CLI — commands, flags, setup, and onboarding. Use this skill whenever the user wants to create a task, add a secret, check status, confi...
⭐ 0· 49·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the content: this is an instruction-only CLI guide for the 'nudge' tool and the included commands, onboarding, and punishment actions are consistent with that purpose. It legitimately shows how to configure external posting actions (e.g., Beeper/WhatsApp) and how to seed secrets used by the tool.
Instruction Scope
The instructions explicitly direct the agent/user to solicit 3–5 'embarrassing secrets' and configure actions that will transmit those secrets to external recipients (Beeper/WhatsApp). While this matches the product purpose, it means the skill instructs collection and transmission of highly sensitive personal data — a privacy risk. The SKILL.md also instructs passing tokens (e.g., --token) on the command line and using default data-dir (~/.nudge); these runtime steps are not declared in metadata and broaden the effective scope.
Install Mechanism
There is no formal install spec in the registry, but SKILL.md recommends installing via brew (third‑party tap), 'go install' from a GitHub repo, or running a remote install script with 'curl https://raw.githubusercontent.com/... | sh'. Piping a remote script to sh and using a personal Homebrew tap are higher-risk actions and should be treated with caution — the skill's metadata did not include an install artifact or checksum to verify.
Credentials
The published metadata requests no environment variables or credentials, which is consistent with a documentation-only skill. However, the runtime instructions show commands that accept tokens and target identifiers (e.g., --token, --default-group, --add-contact). Those credentials are necessary for punishment actions but are not declared in requires.env; users should be aware they will need to supply service tokens and that passing secrets on the command line can expose them via shell history.
Persistence & Privilege
The skill is user-invocable and not always-included; it requests no special platform privileges, doesn't modify other skills, and has no install-time persistence declared. Autonomous invocation is allowed (platform default) but unremarkable on its own.
What to consider before installing
This is a how-to for a CLI that intentionally collects and can publish sensitive, personal 'secrets' to third parties — that's the product, not a hidden behavior. Before installing or using it: 1) Do not run 'curl | sh' unless you have inspected the script and trust the upstream repo; prefer vetted packages or verify checksums. 2) Review the GitHub repo (neilsanghrajka/nudge) and Homebrew tap to confirm authorship and review install scripts. 3) Be cautious supplying tokens on the command line (they can end up in shell history); prefer storing credentials securely. 4) Understand legal/privacy/ethical consequences of sending private information to contacts or services; get consent where appropriate. 5) If you want this skill only as documentation (no installs), you can use the guidance without running installers. If you need a deeper analysis (e.g., review of the remote install script or the upstream repo contents), provide the install script or repo URL and I can examine it — that would raise confidence in the assessment.Like a lobster shell, security has layers — review code before you run it.
latestvk973z0xmkkynpx9vh0swc94c6x83sxkv
License
MIT-0
Free to use, modify, and redistribute. No attribution required.