ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Blind Date Assistant

v1.0.0

Help users decide how to shop on Taobao from public marketplace characteristics. Use when the user asks whether Taobao is a good place to buy something, how...

0· 341·0 current·0 all-time
byhaidong@harrylabsj

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for harrylabsj/blind-date-assistant.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Blind Date Assistant" (harrylabsj/blind-date-assistant) from ClawHub.
Skill page: https://clawhub.ai/harrylabsj/blind-date-assistant
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install blind-date-assistant

ClawHub CLI

Package manager switcher

npx clawhub@latest install blind-date-assistant
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The user-facing name you supplied ('Blind Date Assistant') does not match the SKILL.md (name: taobao-shopping). The manifest contains hundreds of files from many different skills and components (decision-journal, second-brain-triage, various shopping skills, agent bootstrapping docs). That large, multi-project footprint is disproportionate to a single low-sensitivity Taobao decision-support skill and suggests the bundle is an aggregated repo rather than a single-purpose skill.
!
Instruction Scope
The SKILL.md itself is properly scoped to public, non-account operations. However the included files (notably agents/code/AGENTS.md, BOOTSTRAP.md, SOUL.md, and multiple scripts) instruct an agent to read workspace memories (memory/YYYY-MM-DD.md, MEMORY.md), read and update identity/state files, and perform background memory maintenance. Some scripts (e.g., decision-journal CLI) write to ~/.openclaw/*. Those behaviors contradict the SKILL.md claim of 'does not perform ... local database persistence' and expand the skill's runtime scope beyond what's documented.
Install Mechanism
No install spec is declared (instruction-only by registry), which limits automatic installation risk. However the bundle contains many executable scripts and CLIs (Python/JS/TS) and templates that, if run, would execute code and write to disk. Absence of an install step reduces automatic risk but the included code is runnable and could be executed by an agent or a user later.
!
Credentials
Registry metadata lists no required env vars, but multiple included skill docs reference environment variables and API keys (e.g., TODOIST_API_TOKEN, NOTION_API_KEY, OPENAI_API_KEY) and configuration paths (Obsidian vault paths, ~/.config/second-brain-triage/config.yaml). The package therefore contains components that would expect credentials or access to user files even though the published skill declares none—this is an incoherence and increases the risk that installing/using the bundle could lead to credential or local-file usage.
!
Persistence & Privilege
The skill is not set always:true and is user-invocable (normal). But included code and docs indicate persistent storage and memory updates under ~/.openclaw (decision journal, snapshots, indexes). SKILL.md explicitly says it will not do login, order retrieval, cookie handling, or local DB persistence—yet the repository contains code that persists to the user's home. That mismatch is a red flag: the package can persist data if those scripts are run even though the skill claims it won't.
What to consider before installing
Do not install or enable this skill yet. Ask the publisher to explain why the bundle contains hundreds of unrelated files and why the SKILL.md (taobao-shopping) contradicts the skill name you saw. Specifically: (1) confirm which files are part of runtime instructions and which are mere references; (2) ask for a minimal package or a clear install/usage guide showing no local file writes; (3) refuse to provide any API keys or credentials until the scope is clarified; (4) if you want to try it, run it in a sandboxed environment (isolated VM/container) and audit any scripts that write to ~/.openclaw or reference external API tokens; (5) if the author cannot justify the extra files or remove instructions that read/write user memory, treat the package as untrusted.
agents/main/second-brain-release/second-brain/test/run-tests.js:37
Shell command execution detected (child_process).
skills/context-preserver/bin/cli.js:17
Shell command execution detected (child_process).
skills/pattern-miner/src/analyzer.ts:35
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk970pv7pqqvc67cdn8bst5t1vd8372cd
341downloads
0stars
1versions
Updated 22h ago
v1.0.0
MIT-0
haidong@harrylabsj
latest
Download

Taobao Shopping

Help users make better Taobao shopping decisions from public marketplace signals.

This is a low-sensitivity public skill. It focuses on public decision support and does not perform login, account access, cookie handling, order retrieval, coupon claiming, local database persistence, or browser automation runtime actions.

Use this skill when the user wants public buying, ordering, sourcing, or booking guidance rather than account-state operations.

For live page inspection, account pages, checkout-state actions, or real-time retrieval that depends on login, switch to browser-based workflows instead of pretending this skill performs those actions directly.

Read these references as needed:

  • references/marketplace-guide.md for supporting guidance
  • references/output-patterns.md for supporting guidance

Workflow

  1. Identify the user's shopping, ordering, or booking need.

    • Accept a product, merchant, ride, store, or booking scenario.
    • If the request is too broad, ask one short clarifying question.

  2. Focus on public decision-relevant factors.

    • Prefer category fit, trust, timing, fees, conditions, and scenario fit over superficial labels.

  3. Explain trade-offs.

    • Say why the strongest option fits.
    • Mention meaningful risks or caveats.

  4. Give practical next-step advice.

    • Tell the user what to verify before paying or placing an order.

Output

Use this structure unless the user asks for something shorter:

Best Option

State the strongest current choice.

Why

List the main reasons.

Caveats

List meaningful concerns or trade-offs.

Final Advice

Give a direct practical suggestion.

Quality bar

Do:

  • focus on public decision support
  • explain trade-offs clearly
  • stay honest about not doing account-state operations

Do not:

  • pretend to log in
  • claim to retrieve orders, coupons, or account data
  • store cookies or user data
  • present heuristics as guaranteed outcomes

Comments

Loading comments...