Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Dad.skill
v1.0.0Parenting co-pilot for fathers. Stay in sync with mom, know what happened while you were at work, track bonding moments, coordinate schedules. Never ask 'wha...
⭐ 0· 29·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (parenting co-pilot) matches the files and instructions: local logs, briefings, schedules, and templates. The one capability that is under-specified is 'syncs with mom.skill' — no mechanism is described (no network, no shared path, no credentials). That could be an innocent omission (e.g., expecting both skills to read the same local folder) but is ambiguous and should be clarified.
Instruction Scope
SKILL.md directs the agent to store and read data at ~/.dad-skill/family/ (profile, jsonl logs, schedule). There are no instructions to access external services, baby monitors, or system credentials. However, the instructions imply reading/writing user files in the home directory and mention syncing with another skill (mom.skill) without explaining how — that is scope creep if it implies accessing other skills' data or remote endpoints.
Install Mechanism
This is an instruction-only skill with no install spec and no code files — lowest-risk install surface. The README gives CLI examples for third-party managers but these are informational; there is no automated download/extract included in the package.
Credentials
The skill requests no environment variables, no credentials, and no config paths beyond a local storage directory. That is proportionate to a local journaling/briefing assistant.
Persistence & Privilege
The skill will create and use ~/.dad-skill/family/ for persistent local storage. It does not request always:true or other elevated platform privileges. Persisting personal data locally is expected for this purpose, but users should be aware that deletion is manual (remove the folder).
Scan Findings in Context
[unicode-control-chars] unexpected: The SKILL.md contained unicode control characters flagged as a prompt-injection pattern. A parenting/local-storage skill has no legitimate need to hide or obfuscate text; this pattern is suspicious and should be manually inspected and removed/clarified by the author before trusting the skill.
What to consider before installing
This skill appears to do what it says (local briefings, schedules, and logs) and does not request credentials or network access — which is good — but there are two things to check before installing:
1) Sync behavior: "syncs with mom.skill" is not described — ask the author how syncing works (local shared folder? LAN? cloud?). Do not assume automatic cross-device or cloud sync unless the mechanism and security are explicit.
2) Prompt-injection indicator: the SKILL.md contains unicode control characters (a pattern commonly used to obfuscate or attempt prompt-injection). Request the upstream source (repo or package) and ask the author to provide a clean, human-readable SKILL.md. Manually inspect the file in a text editor that shows hidden characters.
Operational precautions: install only from a trusted publisher; run the skill in a limited environment or sandbox first; back up any important data before giving the skill write access to your home directory; periodically inspect ~/.dad-skill/ for unexpected files. If you want automatic sharing between parents, prefer an explicitly described secure mechanism (e.g., encrypted cloud sync or a documented LAN sync) rather than an undocumented "sync".Like a lobster shell, security has layers — review code before you run it.
latestvk974s5tsd6vxcy3r3qamq2mty984kxpj
License
MIT-0
Free to use, modify, and redistribute. No attribution required.