ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Tar

Tar - command-line tool for everyday use

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 35 · 0 current installs · 0 all-time installs
by@bytesagain1
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The declared purpose is a general 'Tar - command-line tool for everyday use' and the included script implements a local logging/sysops toolkit that creates and manages log files under ~/.local/share/tar — this is broadly consistent with a local utility. However, the SKILL.md command list (e.g., 'tar run', 'tar add', 'tar list') does not match the script's implemented subcommands (scan, monitor, report, etc.), and SKILL.md claims a configurable TAR_DIR while the script unconditionally uses $HOME/.local/share/tar. The metadata version (registry 1.0.2) vs SKILL.md version (2.0.0) and 'Source: unknown' / no homepage in registry vs bytesagain references in SKILL.md are additional provenance inconsistencies.
!
Instruction Scope
SKILL.md and the script both state that data is stored locally and exports go to files (no network endpoints shown), which is appropriate for a local tool. But SKILL.md instructs setting TAR_DIR and using commands that don't exist in the script; the script writes arbitrarily to the user's home directory (~/.local/share/tar) and logs arbitrary input lines, which could capture sensitive text if the agent or user supplies it. Because the README and runtime code disagree about commands and configuration, an agent following README instructions could mis-invoke the script or misunderstand what data will be recorded.
Install Mechanism
There is no install spec that downloads or executes remote code; this is an instruction-only skill with a local script included. That lowers supply-chain risk. The included script will create files under the user's home directory but no external downloads or archives are performed in the visible portion.
Credentials
The skill requests no credentials or environment variables. The script uses $HOME implicitly to build a data directory and does not actually read a TAR_DIR environment variable despite SKILL.md claiming that option; this mismatch is surprising and should be clarified, but there are no explicit secret exfiltration requests in the provided content.
Persistence & Privilege
The skill is not marked always:true and does not request elevated system-wide modifications in the visible code. Its persistence is limited to writing log and export files under ~/.local/share/tar, which is within a normal per-user scope.
What to consider before installing
This skill appears to be a local CLI logger/tool, but several red flags mean you should be cautious: (1) metadata and SKILL.md disagree with the actual script — commands, version, and the advertised TAR_DIR env var don't match the code; (2) the skill name 'tar' collides with the standard system tar utility and could be confusing or accidentally override expected behavior; (3) the script writes logs and exports to ~/.local/share/tar and will record any text passed to it — avoid sending sensitive data until you confirm behavior; (4) provenance is unclear (registry says 'source: unknown' though SKILL.md mentions bytesagain.com). Before installing, ask the publisher to reconcile SKILL.md with the actual script, provide a trustworthy source/release URL, confirm whether the tool is intended to be named 'tar' (and whether it will replace or shadow system tar), and review the remaining truncated portion of the script for any network or shell-invoking behavior. If you proceed, run it in a sandboxed environment first and inspect created files and any outgoing connections.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.2
Download zip
latestvk97fvv3p66kv983f178yzs1n41830s2z

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Tar

Tar toolkit — create, extract, list, compress, and manage tar archives.

Commands

CommandDescription
tar helpShow usage info
tar runRun main task
tar statusCheck state
tar listList items
tar add <item>Add item
tar export <fmt>Export data

Usage

tar help
tar run
tar status

Examples

tar help
tar run
tar export json

Output

Results go to stdout. Save with tar run > output.txt.

Configuration

Set TAR_DIR to change data directory. Default: ~/.local/share/tar/

Powered by BytesAgain | bytesagain.com Feedback & Feature Requests: https://bytesagain.com/feedback

Features

  • Simple command-line interface for quick access
  • Local data storage with JSON/CSV export
  • History tracking and activity logs
  • Search across all entries
  • Status monitoring and health checks
  • No external dependencies required

Quick Start

# Check status
tar status

# View help and available commands
tar help

# View statistics
tar stats

# Export your data
tar export json

How It Works

Tar stores all data locally in ~/.local/share/tar/. Each command logs activity with timestamps for full traceability. Use stats to see a summary, or export to back up your data in JSON, CSV, or plain text format.

Support

Powered by BytesAgain | bytesagain.com

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…