ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Dont Deal Triage

v0.1.0

Use this skill when a developer or desk worker reports chest pain, chest pressure, left arm or jaw discomfort, shortness of breath, unusual sweating, faintne...

0· 34·0 current·0 all-time
by少卿@shaoqing404
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description ask for conservative, local-first triage and the code implements that: git-derived fatigue inference, local system/host detection, interactive quick-triage CLI, and local JSON storage. The host-detection code inspects environment variables to guess the runtime host (e.g., OPENAI_API_KEY, ANTHROPIC_API_KEY) but only to label the host — this is plausible for UI/telemetry and does not itself require credentials.
Instruction Scope
SKILL.md instructs the runtime to run bundled scripts/index.js or quick-triage CLI. The scripts run local commands (git, ps) to read git commit timestamps and parent process info, read/write local JSON under the user's home (~/.dont-deal), and interactively ask questions. There are no instructions or code paths that contact remote endpoints or exfiltrate data. Note: the code climbs parent directories to find the nearest .git, so it will examine the nearest repository from the current working directory upward — users should be aware of which repo the skill will inspect.
Install Mechanism
No external install or downloads are specified. The skill is a bundled Node package with local scripts and a package.json (usable for running the scripts). No remote URLs, package installs, or extracted archives are used.
Credentials
The skill declares no required env vars or credentials. At runtime it reads process.env to (a) allow DONT_DEAL_HOME override and (b) heuristically detect hosting environments by checking for keys like OPENAI_API_KEY, ANTHROPIC_API_KEY, OPENCLAW, and other host signals. Reading env to detect host is proportionate to its UI/telemetry goal, but users should note that the presence of API key variables is checked (not transmitted). No secret is sent out by the code.
Persistence & Privilege
The skill persists data under ~./dont-deal (snapshot.json, profile.json, events.json, config.json). SKILL.md states to persist user-provided background history only after explicit consent; the code will create a default config and the quick CLI appears to write events/profile locally. Users should verify the interactive flow creates stored records only after consent if that is a requirement for them. There is no evidence the skill modifies other skills or system-wide settings.
Assessment
This skill appears to do what it says: run locally, read git commit timestamps to estimate recent sleep/fatigue, inspect basic system/time/parent-process info, interactively ask triage questions, and save structured results under ~/.dont-deal. Before installing or running: - Review the code if you want to confirm there are no network calls (none are present). - Be aware it executes local commands (git and ps) and walks parent directories to find a git repo — run it from a directory whose repo you are comfortable having examined. - The skill writes local files (snapshot.json, profile.json, events.json, config.json). If you require explicit consent before storing anything, step through the quick-triage flow and confirm when/what it writes; you can set DONT_DEAL_HOME to control the storage location. - No credentials are required and the code does not transmit data externally, but the host-detection logic checks for presence of common API key env vars (it only reads them to infer the host). If you need stricter privacy, run the scripts in a controlled environment or set DONT_DEAL_HOME to a directory you control; otherwise this bundle is internally consistent with its stated purpose.
scripts/utils.js:103
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk970rg7g2q942s4tnkwz6s928d840f5k

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments