Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Healthcheck Rose
v1.0.0Track water and sleep with JSON file storage
⭐ 0· 84·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md implements a simple local health tracker that reads/writes a JSON file — this aligns with the description. However, the commands are Node.js one-liners while the skill metadata declares no required binaries; an environment with node is needed but not declared. Also the registry metadata/version (1.0.0) differs from SKILL.md and _meta.json (1.0.2), and ownerId in _meta.json differs from the registry metadata ownerId, raising integrity questions.
Instruction Scope
Instructions tell the agent to execute inline Node (-e) code that reads/writes {baseDir}/health-data.json. This is consistent with local storage, but the SKILL.md uses a {baseDir} placeholder that is not defined anywhere — unclear substitution behavior may cause files to be created in unexpected locations (literal '{baseDir}' folder). The one-liners sometimes assume the file exists (update/delete) causing potential runtime errors. No network calls or secret access are requested.
Install Mechanism
There is no install spec (instruction-only skill), which minimizes installation risk. The runtime requires Node.js but no install step or required-binaries declaration documents that dependency.
Credentials
The skill requests no environment variables or credentials, which is proportionate. It does, however, perform filesystem writes in the agent's environment — acceptable for a local tracker but the target path is ambiguous due to the undefined {baseDir} placeholder.
Persistence & Privilege
always:false and no install steps that change other skills or system-wide configuration. The skill will persist data to disk (health-data.json) under the agent's runtime filesystem, which is expected for this purpose.
What to consider before installing
This skill appears to implement exactly what it claims (a local JSON-based water/sleep logger) but has several red flags you should consider before installing or enabling it: (1) Metadata inconsistencies — the ownerId and version in _meta.json don't match the registry metadata/version, which could indicate packaging mistakes or tampering. (2) Undeclared runtime dependency — the SKILL.md runs node -e commands but the skill doesn't declare Node as a required binary; ensure your agent runs Node or these commands will fail or behave unexpectedly. (3) Undefined {baseDir} placeholder — the instructions expect {baseDir} to be substituted; clarify where data will be written (current working directory, a sandboxed location, or a user-specified folder). (4) Inline JS execution — the skill executes arbitrary JavaScript code via node -e; while the provided snippets are benign, inline execution can be abused if the skill is updated or if templating/substitution is incorrect. Recommendations: ask the publisher for corrected metadata and explicit runtime requirements, confirm where files will be stored, run the skill first in a restricted/sandboxed environment, or copy the one-liners into a reviewed local script before enabling autonomous invocation.Like a lobster shell, security has layers — review code before you run it.
latestvk974mn42rgdmcjnaz7qd9aaxtx83mgs4
License
MIT-0
Free to use, modify, and redistribute. No attribution required.