Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The name/description (word memorization assistant) matches the implementation: the Python program provides learning, quizzing, and local progress storage. However SKILL.md and README claim external dictionary APIs and automatic daily pushes; those features are not implemented in the code. Overall purpose is coherent but the documented capabilities exceed what the code actually does.
Instruction Scope
SKILL.md says the skill needs network access (dictionary APIs), file read/write under ~/.openclaw/workspace/word-memory, and timed push tasks. The code performs only local file I/O (progress.json and stats.json placed next to the module) and contains TODOs for scheduling, network lookups, and full word-database import. There is a concrete mismatch in storage paths (SKILL.md path vs code's DATA_DIR) and in described runtime actions (network/scheduling) vs actual behavior.
Install Mechanism
No install spec; the skill is instruction + a single Python file. No third-party packages or remote downloads are performed at install time.
Credentials
The SKILL.md lists permissions (network, file write, scheduling) but the package requests no environment variables or credentials. The declared data sources (Youdao, Collins, Cambridge) would normally require network access or API keys, yet none are requested or used. This inconsistency should be clarified if you expect external dictionary integration.
Persistence & Privilege
Skill does not request elevated privileges and is not marked always:true. It writes local progress files next to the module; be aware writing into the package directory can be unexpected depending on how the skill is installed (may fail or create files in install dir). It does not modify other skills or system-wide settings.
What to consider before installing
This skill appears to be a straightforward local vocabulary helper, but the documentation over-promises: it mentions external dictionary APIs, scheduled daily pushes, and storing progress under ~/.openclaw/workspace — none of which are implemented in the shipped Python file. Before installing or using it widely, consider: 1) If you expect automatic daily pushes or online dictionary lookups, ask the author for a version that implements and documents those features (and any required API keys). 2) Note the program writes progress.json and stats.json into the same directory as the code — if the skill is installed system-wide this could fail or place files in an unexpected location; consider running it in a writable user directory. 3) There is no network/network-exfiltration code in the current file, so risk of hidden exfiltration is low, but the mismatch between doc and code reduces trust—request clarification or an updated release before granting broader permissions or relying on the promised features.Like a lobster shell, security has layers — review code before you run it.
latestvk9715c87cstfr3xzc4rpy44rm983yc0g
License
MIT-0
Free to use, modify, and redistribute. No attribution required.