Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Mom.skill
v1.0.0Parenting co-pilot for mothers. Tracks your baby's feeding, sleep, and cry patterns. Builds a soothing playbook ranked by success rate. Remembers what works...
⭐ 0· 31·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to be a local-only parenting co‑pilot and requests no binaries, env vars, or installs — which fits basic logging and file I/O. However, advertised features such as 'Multi-Caregiver Sync' and 'Quick voice-note style entries' imply networked sharing or audio capture/processing, yet no mechanism, dependencies, or permissions for sharing or audio recording are declared. That mismatch is unexplained and disproportionate to the stated local-only purpose.
Instruction Scope
SKILL.md instructs the agent to read/write files under ~/.mom-skill/ (consistent with a local logger). But it also promises multi-user access and voice-note entries without describing how data would be shared or how audio would be captured/stored. Additionally, a pre-scan detected 'unicode-control-chars' inside the SKILL.md, which suggests the text includes control characters that can be used for prompt-manipulation; that is unexpected for a benign instruction document.
Install Mechanism
There is no install spec and no code files — the skill is instruction-only, so there is no archive download or third-party package installation to review. This lowers the installation risk surface.
Credentials
The skill declares no required environment variables, no credentials, and no config paths — appropriate for a purely local logger. Still, the lack of declared network or sharing credentials conflicts with the 'Multi-Caregiver Sync' feature; if the skill actually implements sharing, that would be disproportionate to its declared environment footprint.
Persistence & Privilege
The skill does not request always:true, does not declare elevated privileges, and describes storing data in a user-home directory (~/.mom-skill). That level of persistence is normal for a local helper.
Scan Findings in Context
[unicode-control-chars] unexpected: Control / directionality characters in SKILL.md are not expected for a simple instruction-only skill. These characters can be used to manipulate parsing or LLM prompt interpretation (e.g., hiding text, changing reading order). Because the skill has no code files, this is the primary anomaly; it may be an attempt to influence runtime behavior or evaluation.
What to consider before installing
This skill mostly looks like a simple local baby-logger, but there are unexplained claims and a suspicious text artifact. Before installing: (1) Ask the publisher for source code or a repository URL — 'source: unknown' is a risk. (2) Inspect the raw SKILL.md (in a hex/text editor) to find and remove any hidden unicode control characters; verify no hidden instructions or endpoints. (3) Clarify how 'Multi-Caregiver Sync' and 'voice-note' features are implemented — if they require cloud sync or network access, that should be declared and justified. (4) If you want to try it, run it in an isolated environment (separate account or VM) and monitor network traffic to confirm no external transmissions occur. (5) If strict privacy is required, do not use until the developer documents sharing/recording behavior and provides source code you can audit.Like a lobster shell, security has layers — review code before you run it.
latestvk972my4exz4xr5rqdg3hb2t9ks84jvek
License
MIT-0
Free to use, modify, and redistribute. No attribution required.