Skillv0.1.1

ClawScan security

NextCloud Deck Tracker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 12, 2026, 4:29 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's runtime instructions require Nextcloud credentials and a 'deck' CLI and describe background monitoring and notifications, but the registry metadata declares no required credentials or install — a clear mismatch that warrants caution before installing or granting secrets.
Guidance: This skill is internally inconsistent: its instructions require a 'deck' CLI and Nextcloud credentials (DECK_URL, DECK_USER, DECK_PASS) but the registry entry lists none. Before installing or providing secrets: 1) Do NOT export your real DECK_PASS until you verify the code. Use a limited-scope Nextcloud App Password. 2) Inspect the referenced GitHub repo (https://github.com/SkanderHelali/openclaw-deck-tracker) — review the 'deck' CLI code and monitor/notification implementation to confirm where notifications are sent. 3) Change the default notification target (the SKILL.md defaults to 'Skander') or disable notifications if you can't verify destination. 4) If you want to test, run the tool in an isolated environment (temporary VM or container) and use least-privilege credentials. 5) Ask the publisher to update registry metadata to declare required env vars and any install steps, and to explain the notification endpoint and monitor process in detail. If you can't verify these, treat the skill as high-risk and avoid giving it credentials.

Review Dimensions

Purpose & Capability: concernThe skill claims to manage Nextcloud Deck cards, which legitimately requires DECK_URL, DECK_USER, DECK_PASS and a client (the 'deck' CLI). However the registry metadata lists no required environment variables, no primary credential, and no required binaries. The SKILL.md repeatedly instructs use of a 'deck' CLI and environment variables — so the declared metadata does not match the actual capabilities and requirements.
Instruction Scope: concernInstructions direct the agent to create and update cards, write temp files under /tmp, spawn a background monitor that logs every 60s and 'sends a chat notification' every 120s (defaulting to a user named 'Skander'). The monitor behaviour and the unspecified 'chat notification' endpoint are ambiguous and could result in outbound notifications or data disclosure to an external recipient. Otherwise most commands stay within Nextcloud Deck API usage, but the background-notify behavior and the hardcoded default target are red flags.
Install Mechanism: noteThis is an instruction-only skill (no install spec, no code files). The README suggests installing via 'clawhub' or cloning a GitHub repo (https://github.com/SkanderHelali/openclaw-deck-tracker), but the registry provides no automated install. That means the agent's instructions expect an external 'deck' CLI to already exist or for a user to manually install code from the referenced repo — which could contain arbitrary code. No automatic downloads are performed by the registry entry, lowering automatic install risk, but the manual install path relies on an external GitHub repo that should be inspected before use.
Credentials: concernThe SKILL.md and README both instruct setting DECK_URL, DECK_USER, DECK_PASS, BOARD_ID and optional STACK_* variables. These are appropriate for Nextcloud Deck but are not declared in the registry metadata. DECK_PASS is sensitive (an app password) and granting it without the registry advertising credential needs is a mismatch and increases risk. No other unrelated credentials are requested.
Persistence & Privilege: noteThe skill is not 'always: true' and does not request persistent installation or global config changes. However it explicitly instructs spawning a background monitoring process that runs periodically and sends notifications; that creates runtime persistence while active. Autonomous invocation is allowed (platform default), which combined with unadvertised credential requirements and background notification increases the blast radius — worth noting but not by itself proof of malicious intent.