Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Cycle Companion
v1.0.1Menstrual cycle tracker designed for partners. Calculates current phase from one input (last period date), provides factual phase info (hormones, energy, moo...
⭐ 0· 184·0 current·0 all-time
byRomain@romain-grosos
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description, SKILL.md, README and included Python scripts are consistent: the code calculates cycle phase/fertility windows from a last-period date, persists configuration under ~/.openclaw/config/cycle-companion, and produces cron payloads for notifications. No unrelated credentials or binaries are requested. The `telegram` output is an optional output channel but the skill does not request Telegram credentials because it expects the agent/platform to perform actual delivery.
Instruction Scope
Runtime instructions are scoped to reading/writing the local config, computing phases, formatting references, and producing cron payloads; they direct the agent to create/delete cron jobs and to send notifications via configured outputs. This is within the stated purpose, but it gives the agent permission to schedule system cron jobs and to forward personal cycle information to external messaging channels (e.g., Telegram) via the agent's connectors.
Install Mechanism
No install spec; the skill is instruction-only plus included Python scripts (stdlib only). No remote downloads or package installs are required, which minimizes supply-chain risk.
Credentials
The skill requests no environment credentials (good), but it stores sensitive health data (last_period_date and other cycle params) in plain JSON at ~/.openclaw/config/cycle-companion/config.json with no encryption or secure storage. Notifications are intended to be sent to external channels (Telegram or file) — if Telegram is enabled, the actual delivery will use the agent/platform's Telegram integration (and its credentials). Consider whether storing and automatically sending intimate health data to external services is acceptable.
Persistence & Privilege
always:false (normal). The skill persists config files under the user's home and instructs the agent to add/delete cron jobs (system-level scheduled tasks). This is expected for a notifier but means the skill will have an ongoing presence via cron-triggered runs; verify you are comfortable with cron jobs being created and with the content of cron payloads.
Assessment
This skill is coherent with its stated purpose, but it handles sensitive personal health data and schedules system cron jobs that can cause automatic, repeated notifications to external channels. Before installing: (1) inspect the code locally (it is included) and confirm you trust the author; (2) run setup with outputs empty (no Telegram) to avoid automatic external messages; (3) secure the config file (restrict filesystem permissions or move to encrypted storage) because last_period_date and fertility info are stored in plaintext at ~/.openclaw/config/cycle-companion/config.json; (4) review the cron payloads the skill emits before adding them to your system cron; (5) test in simulation mode (cycle.py --date ...) and run setup.py --show to verify behavior; (6) be aware the skill relies on the agent/platform to deliver messages (e.g., Telegram) so you should audit which external connectors the agent has access to; (7) if you decide to uninstall, use setup.py --cleanup and remove any cron jobs created. Also note a minor code-quality issue: some scripts (cycle.py) shown in the package appear truncated/contain a stray character in the validation section — run the scripts in a safe test environment first to confirm they execute as expected.Like a lobster shell, security has layers — review code before you run it.
latestvk97bgccegx1h7x0gmftwtp1pd18387t2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.