ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Skill Analytics

v1.0.0

Track skill usage across all agent sessions. Logs every skill invocation to a JSONL file, generates daily summaries with top skills, unused skills, and trend...

0· 20·0 current·0 all-time
byNetanel Abergel@netanel-abergel
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with what the SKILL.md asks the agent to do: append invocation records to a JSONL log and produce a daily report. No unrelated binaries, env vars, or installs are requested.
!
Instruction Scope
The instructions ask that every skill append raw invocation data (including the trigger phrase) to a shared workspace file. That can capture arbitrary user input (potentially sensitive) and the SKILL.md tells maintainers to 'Add this at the TOP of any skill' — i.e., modify other skills' runtime behavior. The file is claimed to be 'local only' but nothing in the instructions enforces or guarantees it won't be read or transmitted by other code or processes.
Install Mechanism
Instruction-only skill with no install steps and no downloads. Uses standard CLI utilities (date, mkdir, echo, grep, jq, tail, awk) — jq is optional with a provided Python fallback.
Credentials
No credentials, env vars, or config paths are requested. The single shared filesystem path (/opt/ocana/openclaw/workspace/data/skill-analytics.jsonl) is justified for local logging, but ownership and access control should be considered.
Persistence & Privilege
always:false and no install means the skill does not force permanent presence. However, the guidance to add logging into other skills implies code changes across other skills (manual or automated), which is intrusive; review and consent are needed before applying widely.
What to consider before installing
This skill is coherent with its stated purpose but has privacy and operational implications you should consider before deploying: - The log records 'trigger' strings and contexts that may contain sensitive user input; treat the JSONL file as sensitive data. Ensure file permissions limit who can read it. - The SKILL.md suggests adding the logging snippet to the top of other skills — do NOT modify third-party skills without review. Prefer running the logging at the agent/platform layer rather than editing every skill. - The SKILL.md claims the log is 'local only' but provides no enforcement; review any cron jobs, backups, or other code that could read or transmit the file. - Add rotation/retention and consider redaction or hashing of sensitive triggers to reduce leak risk. - Verify jq or the Python fallback is available in your runtime; test the report script in a safe environment. If you want to proceed: restrict file ACLs, document what fields are logged, get consent from stakeholders, and consider implementing logging at a single trusted layer rather than inserting snippets into many skills.

Like a lobster shell, security has layers — review code before you run it.

latestvk976faecbrmam77tmd9dba7aes842vey

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments