ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Adam Skill 1.0.0

v1.0.0

Manage daily schedules, tasks, family coordination, shopping, appointments, and planning to improve personal organization and productivity.

0· 15·0 current·0 all-time
byDanielle@supadoopa
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name, description, and SKILL.md all describe a personal life-management assistant. There are no declared binaries, env vars, or config paths that contradict the stated purpose.
Instruction Scope
SKILL.md is an instruction-only manifest describing features (scheduling, tasks, drafting messages). It does not instruct the agent to read local files, access environment variables, or contact external endpoints outside normal operation. No scope creep is present in the instructions themselves.
Install Mechanism
No install spec and no code files are included; the skill is instruction-only, which minimizes installation risk. However, the package metadata shows inconsistencies (ownerId and slug differ between registry metadata and _meta.json), which is a provenance/packaging quality concern.
Credentials
The skill declares no required environment variables, credentials, or config paths. That is proportionate for a planning/assistant skill. Because it drafts messages, it may handle personal data at runtime — but it does not request keys or secrets.
Persistence & Privilege
always is false and the skill is user-invocable. disable-model-invocation is false (normal), meaning the agent could call the skill autonomously — this is platform default and not in itself a problem. The skill does not request persistent system presence or modify other skills.
What to consider before installing
This skill appears functionally coherent and low-risk (instruction-only, no installs, no credentials requested). However, the package provenance is unclear: the source and homepage are missing and the embedded _meta.json ownerId/slug do not match the registry metadata. Before installing, consider: 1) Only install if you trust the publisher or can verify the source; 2) Avoid entering sensitive credentials or private data into the skill; 3) If you want stricter control, disable autonomous invocation for this skill so it cannot run without your prompt; 4) Prefer skills with a verifiable homepage or source repository — inconsistent metadata is a quality/traceability concern even if not clearly malicious. If the publisher clarifies the metadata mismatch or provides a verifiable source, reassess to increase confidence.

Like a lobster shell, security has layers — review code before you run it.

latestvk976d8ay0xg506jtas4nccneps84h6yx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments