ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Grandpa.skill

v1.0.0

Preserve your grandfather's stories, skills, life philosophy, and the quiet strength that held the family together. He survived things you can't imagine. Fee...

0· 34·0 current·0 all-time
by@realteamprinz
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (preserve a grandfather's memories) matches the instructions and declared requirements: no credentials, no external services, and local storage (~/.grandpa-skill/). There are no unrelated environment variables or binaries requested.
Instruction Scope
SKILL.md instructs the agent to collect manual user input and store it locally in human-readable files; it does not instruct reading other system files or sending data externally. However, the document uses the term "Self-learning" and contains a truncated example and formatting that could hide additional directives; combined with detected unicode-control characters, this warrants closer inspection of the raw SKILL.md for hidden/obfuscated content.
Install Mechanism
There is no install spec included (instruction-only), which is lower risk because nothing is automatically downloaded or executed. The README shows example install commands for package managers/agents, but those are invocation examples rather than an included install script.
Credentials
The skill requests no environment variables, no credentials, and no config paths. That aligns with its stated purpose of local-only memory storage.
Persistence & Privilege
always:false and default autonomous invocation are normal. The skill stores files under a user home directory (~/.grandpa-skill/), which is a reasonable scope for data persistence and not an elevated system privilege.
Scan Findings in Context
[unicode-control-chars] unexpected: Non-printing/unicode-control characters were detected in SKILL.md. These characters are not expected for a simple instruction document and can be used to obfuscate prompt-injection or hidden directives. This finding increases risk and should be inspected in the raw file (e.g., view hex or reveal control chars) before trusting the skill.
What to consider before installing
This skill appears to be what it claims (collect your memories and save them locally), but take these precautions before installing or using it: 1) Inspect SKILL.md and README in a raw/hex or 'show invisibles' view to confirm there are no hidden control characters or injected directives; the scanner found unicode-control-chars. 2) If you install, do so from a trusted source (verify the publisher's identity) and prefer installing in a sandboxed account or VM first. 3) Confirm what files are created under ~/.grandpa-skill/ and check their permissions; ensure no unexpected network activity (monitor outbound connections during first runs). 4) Ask the publisher to clarify what they mean by "Self-learning" — does it ever send data externally, update a remote model, or require additional binaries? 5) Avoid entering sensitive account credentials or unrelated personal data into the skill; it's intended for memories only. If the developer cannot explain the control-character findings and the "self-learning" behavior, treat the package with caution or avoid installing it.

Like a lobster shell, security has layers — review code before you run it.

latestvk9736a279dqse50t9qym482bfh84j5d6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments