ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Parent.skill

v1.0.0

Unified parenting co-pilot for both parents. Track your baby's patterns together — feeding, sleep, milestones, soothing playbook. One source of truth for mom...

0· 63·0 current·0 all-time
by@realteamprinz
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, templates, and README all describe a local-only parenting co-pilot storing files under ~/.parent-skill. There are no declared env vars, required binaries, or install scripts that would be unexpected for this purpose, so requested capabilities are proportionate to the stated goal.
Instruction Scope
SKILL.md scope stays largely within the stated purpose: it references only local storage (~/.parent-skill/children/) and explicitly denies external data transmission. Two minor concerns: (1) the doc claims 'voice note → auto-logged' but provides no mechanism for audio capture/transcription or required binaries/services, and (2) the scanner detected unicode-control-chars inside SKILL.md (prompt-injection pattern) — hidden characters can alter model parsing and are not expected for a local parenting tracker.
Install Mechanism
No install spec or code files are present beyond documentation and templates (instruction-only). This is the lowest-risk install posture; nothing is downloaded or written by an automated installer.
Credentials
No environment variables, credentials, or privileged config paths are requested. The skill does not ask for unrelated secrets or cloud credentials, which is appropriate for a local-only tracker.
Persistence & Privilege
always is false and the skill does not request permanent platform-level privileges. It only describes writing to its own ~/.parent-skill folder and does not claim to modify other skills or global agent settings.
Scan Findings in Context
[unicode-control-chars] unexpected: Hidden/unprintable Unicode control characters were detected in SKILL.md. A parenting skill that stores data locally would not normally need or benefit from such characters; they can be used to manipulate model input parsing or hide instructions and should be inspected and removed or explained by the author.
What to consider before installing
The skill otherwise looks coherent for a local baby tracker, but the detected hidden Unicode control characters are a red flag for prompt-injection attempts. Before installing: (1) ask the author to explain or provide a clean SKILL.md without hidden characters; (2) inspect the file yourself (e.g., hexdump -C SKILL.md or cat -v SKILL.md) and remove control characters; (3) verify there is no code that would send data externally (there are none included, which reduces risk); (4) if you plan to use 'voice note' features, require clarity on how audio is captured/transcribed and what local tools (if any) are used; (5) run the skill first in an isolated account or VM and monitor for unexpected network activity. If the author cannot account for the hidden characters and the voice-note behavior remains vague, do not install.

Like a lobster shell, security has layers — review code before you run it.

latestvk97avy13zkfxwwek657xphgbnd84k79a

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments