ClawHub

What Should We Do?

v2.1.0

What should we do? Smart activity discovery with live weather, local movie showtimes, streaming recommendations, game library matching, group profiles, routines & traditions, favorites/blacklists, business hours, ratings filtering, Quick Mode for instant suggestions, calendar integration (Google Calendar + cron reminders), group invites via Telegram/message channels, and RSVP tracking. Helps you stop scrolling and start living. Use when someone says 'what to do', 'bored', 'fun', 'tonight', 'date night', 'things to do', 'activity ideas', 'entertainment', 'adventure', 'what should we do', 'need plans', 'something fun', 'stay home', 'game night', 'movie night', 'put it on the calendar', 'send invites', 'who's coming', or just seems like they need a nudge off the couch. Optional Google Places integration for real nearby suggestions with ratings, hours, and links.

4· 2.5k·2 current·2 all-time
by@scottfo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill promises calendar integration, sending invites via Telegram/other message channels, and optional Google Places lookups — all of which normally require API credentials/authorization. The registry metadata shows no required environment variables or primary credential, which is inconsistent with the stated capabilities.
!
Instruction Scope
SKILL.md instructs the agent to read and write user profile data (preferences, history) under <workspace>/data/whatdo/, check the calendar, check the weather, check streaming services and local showtimes, and send invites to people using stored telegram/phone/email contacts. Those instructions include handling personal contact details and creating events/notifications; they grant broad discretion to access and transmit user data beyond a simple 'suggestion' task.
Install Mechanism
There is no install spec and no code files — everything is instruction-only. That reduces filesystem/remote-download risk because nothing arbitrary will be written during install.
!
Credentials
The skill uses services that require secrets (Google Calendar/Places API keys, Telegram bot token or SMS/email gateway credentials) but declares none. The data schema stores PII (phone numbers, emails, Telegram handles) in workspace files; without explicit credential/dependency declarations it's unclear how those services will be authorized or protected.
Persistence & Privilege
always is false and the skill is user-invocable; it stores user data under a workspace path it specifies (normal for stateful skills). However, autonomous invocation is allowed by default — combine that with the above concerns when deciding whether to enable it.
Scan Findings in Context
[unicode-control-chars] unexpected: Prompt-injection patterns (unicode control characters) were detected inside SKILL.md. This can be used to manipulate the agent's parsing or evaluation. It is not expected for a typical activity-suggestion skill and should be examined further.
What to consider before installing
This skill appears to do a lot (calendar events, group invites, messaging, Google Places lookups) but it doesn't declare the API keys or tokens it will need. Before installing: 1) ask the publisher how OAuth/credentials are handled and what exact env vars or tokens are required; 2) verify whether it will actually send messages or calendar events automatically and whether you can require explicit confirmation; 3) inspect the full SKILL.md for the prompt-injection characters and remove or sanitize any suspicious control characters; 4) consider running it in a restricted workspace or sandbox and avoid supplying long-lived credentials — prefer OAuth flows or per-action authorization; and 5) review how and where it stores contact info/PII and whether that storage is acceptable for your privacy needs.

Like a lobster shell, security has layers — review code before you run it.

latestvk9710htz5j2c7rfmp7dnty919d7zy0mt

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎲 Clawdis

Comments