English Learn Cards
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: english-learn-cards Version: 0.1.1 The skill bundle is benign. It provides a flashcard-based English vocabulary learning tool using a local SQLite database. The `scripts/words.py` helper script makes legitimate network requests to dictionary.cambridge.org to fetch audio pronunciations, which is directly aligned with its stated purpose. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, or prompt injection attempts against the OpenClaw agent to subvert its behavior or access sensitive data beyond the skill's scope. All instructions in `SKILL.md` and `AGENT_PROMPT_TEMPLATE.md` are for proper skill usage and agent interaction.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing and using the skill may cause the agent to run the bundled Python helper to create or modify the vocabulary database.
The skill expects the agent or user to run a local Python helper for database operations. This is disclosed and central to the skill's purpose, but it is still local code execution.
Use the helper for all DB operations: ```bash python skill/scripts/words.py init python skill/scripts/words.py migrate python skill/scripts/words.py add "implement" ...
Use the helper only for the documented flashcard commands and review the script before installing if you are cautious about local code execution.
Your vocabulary cards, review history, and related learning data may remain on disk across sessions.
The skill intentionally creates persistent local memory for vocabulary cards and SRS state. Persistent learning data is expected here, but users should know where it is stored.
SQLite DB path is controlled via env var: - `ENGLISH_LEARN_CARDS_DB` (default: `~/clawd/memory/english-learn-cards.db`)
Set ENGLISH_LEARN_CARDS_DB to a location you control, avoid adding sensitive private phrases, and back up or delete the database as needed.
If audio lookup is used, the word or phrase being looked up may be sent to Cambridge Dictionary.
The helper includes an outbound Cambridge Dictionary lookup for audio URLs, which can send the requested headword to an external provider.
url = f"https://dictionary.cambridge.org/dictionary/{dict_path}/{requests.utils.quote(headword)}"
try:
r = requests.get(Avoid using `--fill-audio` or `cambridge-audio` for sensitive phrases, and document this external lookup for users.
The skill may not work until the Python dependency is available, and users may need to decide how to install it safely.
The helper depends on the external Python package `requests`, while the provided metadata says there is no install spec or required binaries. This is an under-declared dependency rather than evidence of malicious behavior.
import requests
Pin and declare Python dependencies in an install spec or README so users can install from a known, reviewable source.