ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Nex Gdpr

v1.0.0

GDPR and AVG (Belgian data protection law) compliance handler for agency operators, data controllers, and organizations managing data subject requests. Regis...

1· 20·0 current·0 all-time
byNex AI@nexaiguy
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's name, description, and commands align with the code: it scans sessions, logs, memory and certain SQLite DBs and provides request management, exports, and deletion. However metadata/SKILL.md mark it as 'instruction-only' while the bundle contains executable code and a setup.sh that will install files and create a local DB/executables. Also requires.env lists NEX_GDPR_SCAN_PATHS but the included Python code does not appear to read that variable (SESSION_DIRS reads OPENCLAW_SESSIONS). These mismatches reduce confidence that the declared requirements fully reflect what will be installed/run.
Instruction Scope
Runtime instructions and the code explicitly direct the agent to read wide-ranging local data: OpenClaw session folders, agent memory (~/.nex-memory), application logs (~/.nex-logs), user upload directories (~/.nex-uploads), and other skills' SQLite DB files (e.g., ~/.life-logger, ~/.nex-inbox, ~/.nex-notes). That is coherent for a GDPR tool but represents broad access to potentially unrelated user data. The README/SKILL.md also instructs running setup.sh which will create a venv, database files, and a CLI wrapper—so the skill will persist data locally and perform file I/O beyond ephemeral instructions.
!
Install Mechanism
There is no formal install spec in registry metadata, but the package includes setup.sh and multiple Python modules (nex-gdpr.py, lib/*). setup.sh is advertised in README and SKILL.md; running it will write to the user's home directory (~/.nex-gdpr) and place an executable under ~/.local/bin. The lack of an explicit registry install spec combined with an executable install script is a risk to verify (review setup.sh before running).
!
Credentials
Declared required env vars are OPENCLAW_SESSIONS and NEX_GDPR_SCAN_PATHS. The code reads OPENCLAW_SESSIONS (used in SESSION_DIRS) but I could not find code that parses NEX_GDPR_SCAN_PATHS; README references it. The scanner accesses many hard-coded home-directory locations and other skills' DB files, which is consistent with its purpose but broad. No cloud or unrelated secret env vars are requested, which is good, but the unused declared env var and broad default scan targets are inconsistencies to clarify.
Persistence & Privilege
The skill is not always-enabled and is user-invocable. It creates a persistent local data directory (~/.nex-gdpr), an SQLite database, export and audit directories, and may create a CLI wrapper in ~/.local/bin when setup.sh is run — all reasonable for a local GDPR tool. It does not request elevated OS-level privileges or modify other skills' configurations.
What to consider before installing
This package is a local GDPR utility that will scan many files under your home directory and create a persistent database and export files in ~/.nex-gdpr. Before installing or running it: 1) Review setup.sh to see exactly what it installs and where; run it only in a controlled environment or container if you are unsure. 2) Confirm which environment variables are actually used: OPENCLAW_SESSIONS is read by the code, but NEX_GDPR_SCAN_PATHS is declared in the metadata and README yet not obviously consumed by the Python code — ask the author or inspect code if you need custom scan paths. 3) Be aware the scanner will read other skills' SQLite DBs and agent memory files; if you don't want that breadth, restrict configured scan paths or run the tool under a dedicated service account. 4) The code advertises secure 3-pass deletion but the delete-path logic contains comments about demo behavior and the safe delete function does not always use the overwriting routine — test deletion semantics in a safe environment and back up audit logs before trusting erasure. 5) If you will handle real data subject requests, validate audit and encryption behaviors (export encryption is noted as a recommendation, not enforced). If any of the above are unacceptable, do not run setup.sh or run the tool only in isolation until you can validate and/or harden it.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ek8qjj767ccb9kxstbvcz51849mat

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🛡 Clawdis
Binspython3
EnvOPENCLAW_SESSIONS, NEX_GDPR_SCAN_PATHS

Comments