ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Date.skill

v1.0.0

Dating intelligence co-pilot. Remember everything about the person you're seeing — what they said on the first date, their favorite restaurant, what makes th...

0· 67·0 current·0 all-time
by@realteamprinz
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and files align: an instruction-only skill that stores user-provided memories in ~/.date-skill/ and provides reminders and suggestions. There are no unexpected env vars, binaries, or install steps.
!
Instruction Scope
SKILL.md explicitly limits operations to recording user-provided memories and storing them locally, which is in-scope. However the SKILL.md has pre-scan findings for unicode-control-chars (prompt-injection signal). Because SKILL.md is the runtime instruction, hidden/control characters could alter model behavior or hide instructions — this is a notable risk.
Install Mechanism
No install spec and no code files — lowest-risk distribution model. Nothing is downloaded or written by an installer according to metadata.
Credentials
The skill requests no environment variables or external credentials, which is proportionate. It does require filesystem access to create and read ~/.date-skill/people/, which is expected for a local memory store but means it will hold sensitive personal data in plain text unless the user takes extra measures (encryption, secure backups).
Persistence & Privilege
always:false (not force-included) and default autonomous invocation allowed — both are normal. The skill does not request elevated or system-wide privileges or other skills' configs.
Scan Findings in Context
[unicode-control-chars] unexpected: Control/unicode-injection patterns were detected inside SKILL.md. For an instruction-only, privacy-focused skill this is unexpected and could be used to hide or manipulate runtime instructions or evaluation prompts. This finding should be inspected manually.
What to consider before installing
This skill is internally consistent with its description (local date memory bank) and doesn't request external credentials or installs, but proceed cautiously. The SKILL.md contains a prompt-injection signal (unicode control characters) — ask the publisher for a clean plain-text copy or inspect the files yourself before enabling. Understand that the skill will create plain-text profiles under ~/.date-skill/people/ (sensitive personal data). If you install/use it: (1) ensure the device is secure and backups/cloud sync (iCloud/Dropbox/Google Drive) won’t upload the profile directory unintentionally; (2) consider encrypting the folder or using an encrypted container; (3) delete profiles when relationships end; (4) prefer running the skill in an environment without network access if you require guarantee of no exfiltration; (5) verify the skill author/trustworthiness before storing highly sensitive personal information.

Like a lobster shell, security has layers — review code before you run it.

latestvk97282k1ch7mv36g833ej99jb984j32x

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments