ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

TARDIS

v1.2.0

Track elapsed time from a set epoch with tamper-evident locking. Like an analog Hobbs meter but digital. Use for tracking uptime, service hours, time since events, sobriety counters, project duration, equipment runtime. Supports create, lock (seal), check, verify against external hash, list, and export operations.

2· 2k·1 current·1 all-time
by@rm289·duplicate of @rm289/hour-meter
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Core functionality (meter creation, locking, paper codes, verification, milestones) is implemented in meter.py and matches the description. Additional components — a SendGrid webhook server, cloud tunnel guidance, and a restart script — are related to milestone notification delivery but extend the skill into running networked services and system-level process management (e.g., cloudflared, nohup restart). That extra operational surface is plausible for notification features but is more than a minimal 'hour meter' and is environment-specific (references /root paths).
!
Instruction Scope
Runtime code auto-loads local .env files (~/.env, /root/.env, ./env) and exports them into the process; a helper script sources /root/.env. The SKILL.md and scripts instruct starting a webhook server, opening public tunnels (cloudflared/ngrok), and restarting services via nohup — all actions that access local files, open network endpoints, and create persistent background processes. The SKILL.md also documents an opt‑in feature where milestone messages prefixed with 'ACTION:' can be treated as agent instructions; if enabled this could allow remote message contents to influence agent behavior. These instructions go beyond simple local bookkeeping and increase risk.
Install Mechanism
There is no install spec (instruction-only skill) — no remote downloads or package installs are declared. This is lower risk from supply-chain perspective. However the skill expects or recommends external binaries (cloudflared, ngrok, cloud tunnel usage) and will try to run them via provided scripts if present. The included code files will write to user home paths when run (e.g., ~/.openclaw/), so running the scripts results in files on disk but nothing in the package fetches remote archives.
!
Credentials
The registry metadata declares no required env vars, but the code expects and will load many sensitive variables if present: SENDGRID_API_KEY, SENDGRID_WEBHOOK_PUBLIC_KEY, SENDGRID_FROM_EMAIL, OPENCLAW_GATEWAY_TOKEN, OPENCLAW_GATEWAY_URL, TARDIS_DISCORD_WEBHOOK, and METER_STORAGE / METER_WITNESS overrides. More concerning: meter.py will auto‑load and export values from ~/.env and /root/.env if SENDGRID_API_KEY is missing, which could unintentionally surface unrelated secrets. The skill asks no explicit justification for scanning /root/.env (not proportional to a simple local meter).
!
Persistence & Privilege
The skill does not set always:true, but it includes scripts that create persistent background services (nohup for webhook server and cloudflared tunnel) and a helper script to restart them. Those scripts assume particular filesystem locations (/root/.openclaw/workspace/skills/hour-meter) and may be intended to run by system cron/heartbeat. Running them gives the skill a persistent network presence and the ability to accept external events (SendGrid webhooks) and forward them via Discord or an OpenClaw gateway token. That increases the blast radius compared to a purely local CLI tool.
Scan Findings in Context
[base64-block] unexpected: A base64 block was detected in SKILL.md (likely an embedded SVG/data-URL image in README). This pattern can appear in benign assets, but it was flagged by the pre-scan as a prompt-injection pattern. Review embedded data URLs; they are probably harmless here (an SVG badge) but always verify there is no hidden code or malicious payload encoded.
What to consider before installing
What to consider before installing or running this skill: - Review the code locally before executing. The repository contains runnable Python scripts (meter.py, sendgrid_webhook.py) and a helper shell script that can start background services. Do not run them without inspection. - Be cautious with .env files: meter.py auto-loads ~/.env, /root/.env, and ./ . If you have sensitive secrets in those locations, the skill may read them into its process. Either remove unrelated secrets or run the skill in a sandboxed account/container. - SendGrid and gateway tokens are optional but powerful. Only provide SENDGRID_API_KEY or OPENCLAW_GATEWAY_TOKEN if you trust the skill and understand the destination (SendGrid actions send email; gateway token allows sending messages via your OpenClaw gateway). - If you plan to use the webhook server: prefer direct Discord webhooks over exposing an OpenClaw gateway token; enable SendGrid webhook signature verification (provide SENDGRID_WEBHOOK_PUBLIC_KEY and ensure the 'cryptography' dependency is available) to avoid spoofed events. - The check-webhook-services.sh script references /root paths and will try to start cloudflared and the webhook server with nohup. Do not run that script as-is on shared or production hosts. Instead adapt paths, run under a non-root user, or manage services with a proper supervisor. - The 'ACTION:' opt-in feature that can treat milestone message text as agent instructions is risky. Do not enable any agent behavior that executes remote message contents unless you fully trust the source and have strict sanitization/whitelisting. - If you only need local time tracking, consider using meter.py without enabling email/webhook features, avoid running the webhook server, and keep witness files local (or opt for paper/photo backups). If you want, I can point out the specific lines in meter.py or sendgrid_webhook.py that implement the .env auto-loading, webhook forwarding, and 'ACTION:' handling so you can review them more quickly.

Like a lobster shell, security has layers — review code before you run it.

latestvk9750374ggg8hkfdbbk1tx675s80pbze
2kdownloads
2stars
4versions
Updated 22h ago
v1.2.0
MIT-0
@rm289
latest
Download

Hour Meter (TARDIS on ClawHub)

Life event tracker with three modes, milestone notifications, and tamper-evident verification.

ClawHub Note: This skill is published as TARDIS on ClawHub after the original hour-meter listing was lost due to a repository sync issue.

Three Modes

COUNT UP — Time since an event

# Quit smoking tracker
meter.py create smoke-free --start "2025-06-15T08:00:00Z" -d "Last cigarette"
meter.py milestone smoke-free -t hours -v 720 -m "🎉 30 days smoke-free!"
meter.py lock smoke-free  # → Gives you paper code to save

COUNT DOWN — Time until an event

# Baby due date
meter.py create baby --start "2026-01-15" --end "2026-10-15" --mode down -d "Baby arriving!"
meter.py milestone baby -t percent -v 33 -m "👶 First trimester complete!"

COUNT BETWEEN — Journey from start to end

# Career span
meter.py create career --start "1998-05-15" --end "2038-05-15" -d "40-year career"
meter.py milestone career -t percent -v 50 -m "📊 Halfway through career!"
meter.py career --meter career --rate 85 --raise-pct 2.5

Tamper-Evident Persistence

When you lock a meter, you get a paper code — a short, checksummed code you can write on paper:

╔══════════════════════════════════════════════════════════════╗
║  PAPER CODE (write this down):                               ║
║     318B-3229-C523-2F9C-V                                    ║
╚══════════════════════════════════════════════════════════════╝

Four Ways to Save (Non-Technical)

1️⃣ PAPER — Write the code on paper/sticky note

  • 20 characters with dashes, easy to copy
  • Built-in checksum catches typos when verifying
  • Keep in wallet, safe, or taped to equipment

2️⃣ PHOTO — Screenshot or photograph the lock screen

  • Store in camera roll, cloud photos
  • Visual backup, no typing required

3️⃣ WITNESS FILE — Auto-saved to ~/.openclaw/meter-witness.txt

  • Append-only log of all locked meters
  • Sync folder to Dropbox/iCloud/Google Drive for cloud backup
  • Contains paper code + full hash + timestamp

4️⃣ EMAIL TO SELF — Click the mailto: link or copy the one-liner

  • Opens your email client with pre-filled subject and body
  • Or copy the compact message: 🔒 my-meter | Code: XXXX-XXXX-XXXX-XXXX-C | Locked: 2026-02-02
  • Send to yourself, search inbox later to verify

5️⃣ SENDGRID EMAIL — Auto-send verification email on lock

# Set your SendGrid API key
export SENDGRID_API_KEY=SG.xxxxx
export SENDGRID_FROM_EMAIL=verified@yourdomain.com

# Lock and email in one command
meter.py lock my-meter --email you@example.com
  • Sends a beautifully formatted HTML email with paper code
  • Requires a verified sender in SendGrid (see SendGrid docs)
  • Great for automated workflows

Verifying Later

# With paper code (catches typos!)
meter.py verify my-meter "318B-3229-C523-2F9C-V"

# → ✅ VERIFIED! Paper code matches.
# → ⚠️ CHECKSUM ERROR! (if you have a typo)
# → ❌ MISMATCH! (if tampered)

Milestones

meter.py milestone <name> --type hours --value 1000 --message "1000 hours!"
meter.py milestone <name> --type percent --value 50 --message "Halfway!"
meter.py check-milestones  # JSON output for automation

Email Milestone Notifications (v1.3.0)

Get milestone notifications sent directly to your email:

# Create meter with email notifications
meter.py create my-meter \
  --notify-email you@example.com \
  --from-email verified@yourdomain.com \
  -d "My tracked event"

# Add milestones as usual
meter.py milestone my-meter -t hours -v 24 -m "🎉 24 hours complete!"

# When check-milestones runs and a milestone fires, email is sent automatically
meter.py check-milestones
# → Triggers milestone AND sends email notification

Email includes:

  • 🎯 Milestone message
  • ⏱️ Current elapsed time
  • 📝 Meter description

Requires SENDGRID_API_KEY environment variable.

Milestone Notifications: Heartbeat vs Cron

Recommended: HEARTBEAT (~30 min resolution)

  • Add to HEARTBEAT.md: Run meter.py check-milestones and notify triggered
  • Batches with other periodic checks
  • Cost-efficient: shares token usage with other heartbeat tasks
  • Good for most use cases (quit tracking, career milestones, etc.)

Milestone Messages

Milestones post their message text to the configured notification channel when triggered:

# Posts the message when milestone fires
meter.py milestone my-meter -t hours -v 24 -m "🎉 24 hours complete!"

Configure in HEARTBEAT.md:

- Run meter.py check-milestones and post triggered milestone messages to the configured channel

Advanced: Milestone messages prefixed with ACTION: can optionally be treated as agent instructions by your heartbeat config. This is an opt-in feature — see README.md for security considerations.

Alternative: CRON (precise timing)

  • Use when exact timing matters (e.g., countdown to event)
  • ⚠️ Cost warning: Cron at 1-minute intervals = 1,440 API calls/day = expensive!
  • If using cron, keep intervals ≥15 minutes to manage costs
  • Best for one-shot reminders, not continuous monitoring

Rule of thumb: If 30-minute resolution is acceptable, use heartbeat. Save cron for precision timing.

Quick Reference

meter.py create <name> [--start T] [--end T] [--mode up|down|between] [-d DESC]
meter.py lock <name>                # Seal + get paper code
meter.py verify <name> <code>       # Verify paper code
meter.py check <name>               # Status + progress
meter.py milestone <name> -t hours|percent -v N -m "..."
meter.py check-milestones           # All milestones (JSON)
meter.py witness [--show] [--path]  # Witness file
meter.py list                       # All meters
meter.py career [--meter M] [--rate R] [--raise-pct P]
meter.py export [name]              # JSON export

SendGrid Email Webhook Server

Receive real-time notifications when recipients open, click, bounce, or unsubscribe from your meter verification emails.

Setup

# Start webhook server with Discord webhook (recommended)
python sendgrid_webhook.py --port 8089 --discord-webhook https://discord.com/api/webhooks/xxx/yyy

# Or process events manually (for agent to post)
python sendgrid_webhook.py --process-events
python sendgrid_webhook.py --process-events --json

Discord Webhook Setup (Recommended)

  1. In your Discord channel, go to Settings > Integrations > Webhooks
  2. Click New Webhook, copy the URL
  3. Pass to --discord-webhook or set DISCORD_WEBHOOK_URL env var

SendGrid Setup

  1. Go to SendGrid > Settings > Mail Settings > Event Webhook
  2. Click "Create new webhook" (or edit existing)
  3. Set HTTP POST URL to: https://your-domain.com/webhooks/sendgrid
  4. Select all event types under Actions to be posted:
    • Engagement data: Opened, Clicked, Unsubscribed, Spam Reports, Group Unsubscribes, Group Resubscribes
    • Deliverability Data: Processed, Dropped, Deferred, Bounced, Delivered
    • Account Data: Account Status Change
  5. Click "Test Integration" to verify - this fires all event types to your webhook
  6. Important: Click Save to enable the webhook!
  7. (Optional) Enable Signed Event Webhook for security and set SENDGRID_WEBHOOK_PUBLIC_KEY

SendGrid Webhook Setup

Event Types

EventEmojiDescription
deliveredEmail reached recipient
open👀Recipient opened email
click🔗Recipient clicked a link
bounce⚠️Email bounced
unsubscribe🔕Recipient unsubscribed
spamreport🚨Marked as spam

Environment Variables

SENDGRID_WEBHOOK_PUBLIC_KEY    # For signature verification (optional)
SENDGRID_WEBHOOK_MAX_AGE_SECONDS  # Max timestamp age (default: 300)
WEBHOOK_PORT                   # Server port (default: 8089)
DISCORD_WEBHOOK_URL            # Discord webhook URL
WEBHOOK_LOG_FILE               # Log file path

The 80,000 Hours Concept

Career as finite inventory: 40 years × 2,000 hrs/year = 80,000 hours.

meter.py career --hours-worked 56000 --rate 85 --raise-pct 2.5
# → 12.3 years remaining, $2.4M earning potential

Comments

Loading comments...