ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Father.skill

v1.0.0

Preserve your father's wisdom, work ethic, life lessons, and the things he never said out loud but showed through everything he did. Feed it your memories. F...

0· 30·0 current·0 all-time
by@realteamprinz
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (preserve a father's memories) align with what the skill asks for: no credentials, no external services, and local storage under ~/.father-skill. The declared scope matches the requested resources.
Instruction Scope
SKILL.md instructions stay within the stated purpose (collect user-provided memories, store locally, provide 'what would dad say' responses). However, the SKILL.md contains detected unicode control characters (prompt-injection pattern). That is unexpected for a memory-preservation skill and could be used to hide, reorder, or obfuscate text — worth manual inspection.
Install Mechanism
Instruction-only skill with no install spec and no code files — minimal install risk (nothing is automatically written or fetched by the skill bundle itself).
Credentials
No environment variables, credentials, or external config paths are requested. This is proportionate for a local memory-conservation skill.
Persistence & Privilege
always:false (normal) and the skill documents local storage at ~/.father-skill. That level of persistence is appropriate for the stated purpose; consider filesystem permissions for sensitive content.
Scan Findings in Context
[unicode-control-chars] unexpected: Unicode control / invisible characters were found in SKILL.md. These can be used to hide or obfuscate instructions (a prompt-injection technique). For a skill that claims to be local-only and simple, this is unexpected and should be inspected manually before trusting or installing.
What to consider before installing
The skill appears coherent: it asks for nothing sensitive, stores data locally, and matches its description. However, the SKILL.md contains unicode control characters which can hide or manipulate text shown to evaluators or the agent. Before installing: (1) open SKILL.md and the other files in a text editor that can show invisible/control characters (or run a utility like `cat -v`/`sed -n l` or a hex viewer) and confirm there is no hidden or surprising content; (2) confirm you trust the publisher/owner; (3) verify the agent runtime will not transmit ~/.father-skill to external services and set restrictive file permissions (chmod 700) on the folder to protect sensitive memories; (4) because this is instruction-only, remember the agent's runtime (or other installed skills) could still access those files — limit network access for the agent if you need extra assurance. If you find any suspicious hidden text or commands, do not install.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fzsk3xjf9f4nmc3f8b70pjs84jezy

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments