Skillv1.0.0

ClawScan security

medication-clock · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 30, 2026, 6:02 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, runtime instructions, and resource access are consistent with a local medication reminder that stores data under the user's home directory and uses OpenClaw cron for notifications.
Guidance: This skill appears coherent and limited to local reminders and local JSON storage. Before installing: 1) Inspect the included scripts (especially setup.py and medication_wrapper.sh) and adjust any hardcoded paths (the repo contains examples pointing to /Users/robbin). 2) Back up any existing ~/.openclaw/medication_data before running setup.py. 3) Run the test script (test_system.py) in a safe, non-privileged user account — note it is interactive and will prompt to clean up test data. 4) If you plan to enable automatic OpenClaw cron delivery, verify OpenClaw installation and channel configuration; the skill assumes OpenClaw handles delivery, it does not perform network I/O itself. 5) If you require stricter privacy, confirm you keep the data directory local (no external sync) and review exported CSVs before sharing with others.

Review Dimensions

Purpose & Capability: okName/description (medication reminder) match the included code and files. Required binary is only python3 and the code only touches local files and OpenClaw integration points — appropriate for the stated purpose.
Instruction Scope: noteSKILL.md and code instruct the agent to create local cron tasks and read/write JSON files in ~/.openclaw/medication_data, which is consistent with the stated features. Minor scope notes: several files reference OpenClaw-specific APIs and channels (Feishu/WebChat) but there is no network code in the repository; the code assumes OpenClaw will deliver messages. Some example wrapper files and README include an absolute path (/Users/robbin/...) which is a leftover example and should be adjusted for other installations.
Install Mechanism: noteNo automated install spec is provided (no package download). The repo includes a setup.py that performs local setup tasks and prints instructions; installation is manual which reduces silent risk but requires the user to run scripts. This is consistent with an on-disk Python tool; nothing is downloaded from remote URLs by the setup script.
Credentials: okThe skill requests no environment variables or external credentials. It only needs python3 and file-system access under the user's home directory, which is proportional to its functionality.
Persistence & Privilege: okalways:false and no special privileges requested. The code creates config/data files under ~/.openclaw and a local wrapper script; this is expected behavior for a local reminder tool and does not modify other skills or system-wide credentials.