ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Productivity Helper #1

v1.0.0

Productivity helper tool #1 for task management, time tracking, and workflow optimization. Helps organize daily tasks and boost efficiency.

0· 1·0 current·0 all-time
by@tobeyrebecca
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (task management, time tracking, workflow optimization) match the SKILL.md content. However README text references cloning a GitHub repo (git clone https://github.com/TobeyRebecca/productivity-helper.git) even though the skill declares no install spec or code files in the package—this is an unexplained source/installation hint.
!
Instruction Scope
SKILL.md is high-level and gives the agent broad discretion ('help organize and prioritize your tasks') while declaring allowed-tools: Bash, Read, Write. The doc does not constrain what files to read or write or what Bash commands to run, which could let the skill access arbitrary local files if invoked with those tools.
Install Mechanism
There is no formal install specification (lowest-risk form). The README, however, contains manual install commands that would clone a third-party GitHub repository and copy files into the skills directory—this is not executed by the skill but is an external instruction that could lead to executing unreviewed code if followed.
Credentials
The skill requests no environment variables, no credentials, and no config paths. There are no listed secrets or unrelated credential requests.
Persistence & Privilege
always is false and nothing in the package requests persistent or elevated privileges. The skill allows autonomous invocation by default (platform default), which is normal; no installation-time self-modification is declared.
What to consider before installing
This skill appears to be what it says (a productivity helper) but is vague and gives the agent permission to run Bash and read/write files without specifying safe bounds. Before installing or enabling it: 1) ask the publisher for a canonical source URL or full code to review; 2) avoid running the README's git clone/cp commands without inspecting that repository first; 3) if you must test it, run it in a sandboxed account or VM and do not grant it access to sensitive files; 4) prefer skills that include an explicit install spec, a verified homepage/repository, and clear limits on what system files or commands they will use.

Like a lobster shell, security has layers — review code before you run it.

automationvk97cbvka7k344hxv67822wvcjd84rys5latestvk97cbvka7k344hxv67822wvcjd84rys5productivityvk97cbvka7k344hxv67822wvcjd84rys5tasksvk97cbvka7k344hxv67822wvcjd84rys5workflowvk97cbvka7k344hxv67822wvcjd84rys5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Clawdis

Comments