ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Productivity Helper #2

v1.0.0

Productivity helper tool #2 for task management, time tracking, and workflow optimization. Helps organize daily tasks and boost efficiency.

0· 1·0 current·0 all-time
by@tobeyrebecca
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name and description align with a simple task/time-tracking helper and the SKILL.md contains only UI/usage text. However README and install instructions reference a different slug and an external GitHub repo (https://github.com/TobeyRebecca/productivity-helper.git) and a different package name (toby-productivity-helper vs toby-productivity-helper-2), which is inconsistent and unexplained.
Instruction Scope
Runtime instructions in SKILL.md are minimal and do not instruct reading files, environment variables, or network calls. But the skill metadata allows tools Bash, Read, and Write — these give the agent shell and file system capabilities that the plain instructions do not need.
!
Install Mechanism
There is no declared install spec in the packaged skill (instruction-only), which is low-risk. However README lists manual install via git clone from a personal GitHub repo and a ClawHub install command for a different slug; pointing users to cloning external code is potentially risky and inconsistent with the shipped package. This raises supply-chain concerns if a user follows those steps.
Credentials
The skill does not request any environment variables, credentials, or config paths — this is proportionate to its stated purpose.
Persistence & Privilege
always is false and there are no install hooks, so the skill does not request permanent inclusion. Still, allowing Bash/Read/Write grants the agent capabilities to read/write files and run shell commands at runtime, increasing potential impact if the skill is invoked.
What to consider before installing
This skill's content itself is harmless and matches a simple productivity helper, but there are three things to watch for: (1) the SKILL.md metadata permits Bash/Read/Write — unnecessary for a text-based planner and gives the agent shell and file access; consider denying those tools unless you inspect why they're needed; (2) README suggests installing code from a personal GitHub repo and references a different package name — do not run git clone or follow external install steps unless you have inspected that repository and trust the maintainer; (3) ask the publisher to clarify the slug mismatch and why external code or shell/file access is required. If you want to proceed, request the author to remove or justify Bash/Read/Write and to include a clear, matching install spec or embed all needed code so you can audit it first.

Like a lobster shell, security has layers — review code before you run it.

automationvk97aq0gs9nrza1yy8qyy50bgk584r46slatestvk97aq0gs9nrza1yy8qyy50bgk584r46sproductivityvk97aq0gs9nrza1yy8qyy50bgk584r46stasksvk97aq0gs9nrza1yy8qyy50bgk584r46sworkflowvk97aq0gs9nrza1yy8qyy50bgk584r46s

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Clawdis

Comments