ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Apple Contacts

v1.0.1

Access and search Apple Contacts on macOS using AppleScript. Use when the user asks to look up a contact, find a phone number or email, search contacts by na...

0· 155·0 current·0 all-time
by@neriros
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The stated purpose (querying macOS Contacts via AppleScript) is coherent with using osascript, but the SKILL.md requires a scripts/contacts.applescript under the skill directory. The package manifest contains only SKILL.md and no scripts or code files, so the skill as published cannot perform the claimed functionality without additional files not present in the package.
Instruction Scope
Instructions are narrowly scoped to running osascript against a local AppleScript to read Contacts. That behavior legitimately requires macOS Contacts permission and will access sensitive personal data (all address-book entries). The instructions do not ask to read unrelated files or exfiltrate data, but they do direct the agent to access local contacts — a privacy-sensitive action that should be explicit to users.
!
Install Mechanism
There is no install spec (instruction-only), which is low-risk in general. However the SKILL.md's 'ensure scripts/ directory is intact' requirement is inconsistent with the manifest's lack of any scripts. Either required script files were omitted from the package or SKILL.md is stale; both are problematic because the skill will fail or depend on out-of-band downloads.
Credentials
No environment variables, credentials, or config paths are requested — appropriate for a local Contacts lookup. Note that the skill will request macOS Contacts permission at runtime, which grants access to the user's address book (sensitive personal data).
Persistence & Privilege
always is false and autonomous invocation is allowed (platform default). There is no evidence the skill requests permanent presence or modifies other skills or system-wide settings.
What to consider before installing
This skill's purpose (reading Apple Contacts via osascript) is plausible, but the package as published contains only SKILL.md and no scripts. Before installing: (1) do not install or enable the skill unless the package includes the referenced scripts/contacts.applescript files — ask the publisher for the missing files or a verified release. (2) If you obtain the scripts, inspect their contents before running to ensure they only access local Contacts and do not transmit data elsewhere. (3) Be aware enabling the skill will trigger macOS Contacts permission and allow the script to read your address book (sensitive personal data). (4) Prefer installing/testing in a controlled macOS account or sandboxed environment and confirm no network calls are made by the scripts. If the publisher cannot supply the missing scripts or a trustworthy source, treat the skill as incomplete/untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cgxq54yj6jmjfay1jcmdg09832s3r

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments