Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Driver Card Tachograph
v1.0.0Parses EU Digital Tachograph driver card (.ddd) files, converts to JSON, imports data into SQLite, and exports driving info and violations to CSV.
⭐ 1· 66·0 current·0 all-time
bySanweb@sanwebgit
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The skill claims to parse .ddd driver card dumps, import to SQLite and export CSV — all included scripts (process.sh, import.py, export.py, health_check.py, cleanup.py) implement those behaviors. The SKILL.md and references explain building a third‑party dddparser from GitHub, which matches the declared need for a parser binary. No unrelated binaries or credentials are requested.
Instruction Scope
Runtime instructions operate on local directories (data/inbox, data/parsed, data/json, data/archive, summaries) and the local SQLite DB. The scripts do file I/O, parsing, DB writes, CSV export, health checks and archive cleanup — all within the stated scope. They do not contact remote endpoints at runtime or read unrelated system files. One minor point: process.sh optionally uses the MAIL_TO environment variable to send email alerts (if configured), which is reasonable but not declared in requires.env.
Install Mechanism
There is no automated install spec; the build guide asks you to git clone and build a dddparser from https://github.com/traconiq/tachoparser (a GitHub repo). Cloning and building third‑party code is expected for this parser, but you should review and verify that repository and the produced binary before running it in your environment. The build host (GitHub) is a standard release source; no obscure download URLs are used in the provided instructions.
Credentials
The skill requests no environment variables or credentials in registry metadata. The runtime scripts do, however, optionally reference MAIL_TO for alert emails and rely on system tools (mail) if you configure that — MAIL_TO is not declared as a required env var but is optional. No secrets (API keys, AWS creds, tokens) are requested or used. Database and file paths are local to the project directory.
Persistence & Privilege
The skill is not always-enabled and does not require special platform privileges. It creates and modifies files inside its project workspace (data/, summaries/, logs/), archives original .ddd files, and deletes aged files per configured retention. These are normal actions for this kind of tool; the 10-year archive deletion and 1-year summary retention are long but documented and consistent with stated legal retention requirements.
Assessment
This skill appears to do exactly what it says: parse .ddd files, import into SQLite, and export CSVs. Before installing and running it:
- Verify the dddparser binary source: the build guide clones https://github.com/traconiq/tachoparser. Review that repo and the built binary for trustworthiness before copying it into the skill's bin/ directory.
- The skill operates on local files and the local SQLite DB only (no network exfiltration is present in the scripts), but double-check any build-time network activity (git clone) and only use trusted releases.
- Be aware of retention behavior: archives are kept for 10 years and summaries for 1 year; cleanup.py will delete files accordingly. Ensure this retention matches your data‑handling and privacy policies.
- process.sh can send alert emails if MAIL_TO is set and mail is available; this environment variable is optional but not listed in metadata — if you do not want emails, leave MAIL_TO unset or remove that section.
- Confirm runtime environment: Python 3 is required and the dddparser binary must be present (the package does not include the compiled binary). Run the scripts in a controlled workspace (least privilege) and inspect logs/summaries after initial runs.
If you want, provide the dddparser repository link or the built binary hash and I can help inspect the upstream code or compare checksums.Like a lobster shell, security has layers — review code before you run it.
latestvk971es2cwhk4mhc51dmwv9thf583rjsj
License
MIT-0
Free to use, modify, and redistribute. No attribution required.