ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Brother.skill

v1.0.2

Distill your bros -- from YOUR memories and descriptions. Captures how they talk, what makes them funny, their catchphrases, their energy. Feed it your own s...

0· 53·0 current·0 all-time
by@realteamprinz
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and runtime instructions all align: the skill builds personality profiles from user-provided descriptions and uses them to generate in-character responses. No unusual binaries, env vars, or unrelated capabilities are requested.
!
Instruction Scope
SKILL.md instructs the agent to accept user descriptions, extract profile dimensions, and store them locally. However, it repeatedly asserts 'No transmission' / 'No cloud' while providing no mechanism to ensure that model calls or agent telemetry won't send inputs or profiles to remote servers. The instructions also do not mention encryption or protections for the stored plaintext files.
Install Mechanism
Instruction-only skill with no install spec or code — lowest install risk. Nothing is downloaded or written by an installer step.
Credentials
The skill requires no credentials or environment variables, which is consistent with its stated local-only operation. However, absence of declared credentials does not prevent the agent runtime from sending data to a remote model; SKILL.md does not address this.
Persistence & Privilege
always is false and the skill does not request elevated privileges or to modify other skills. It creates files under a user home subdirectory (~/.brother-skill/), which is appropriate for user-scoped persistence.
What to consider before installing
This skill is largely self-consistent — it stores profiles in ~/.brother-skill/ and has no installs or requested secrets — but be aware of two practical privacy risks before installing: (1) ‘No external transmission’ is misleading: when you use the skill the agent will typically send your text inputs (the descriptions you write) to whatever model provider the agent uses (cloud LLMs often log or retain inputs). If you need true offline behavior, confirm your agent runs a local LLM and does not forward skill data to remote services. (2) Profiles are stored as plaintext under your home directory; these files may be picked up by OS/cloud backups (iCloud, Dropbox, Google Drive) or discovered by other processes. Consider avoiding posting sensitive or identifying personal data in profiles, enable encryption or secure storage for the folder if available, and review your agent/model provider privacy policy. Finally, note a misuse risk: even if authors disclaim 'not impersonation,' generated outputs could be used to imitate someone — avoid entering sensitive, private, or identifying details about real people.

Like a lobster shell, security has layers — review code before you run it.

latestvk977a7b4r9g01y1ajbc1ayew3h84kar1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments