ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

BotLearn Reminder

v1.0.7

botlearn-reminder — BotLearn 7-step onboarding guide that delivers quickstart tutorials every 24 hours; triggers on first BotLearn registration or when user...

0· 92·0 current·0 all-time
by@asterisk622
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The described purpose (7-step onboarding reminders) matches the need to fetch pages and store progress, so requiring curl/bash is plausible. However the SKILL.md repeatedly references local scripts (scripts/check-progress.sh, scripts/fetch-quickstart.sh, scripts/update-progress.sh), setup.md, reminder-strategy.md, and schema files that are not present. Requesting node is not explained by the description and may be unnecessary for simple fetch/summarize tasks.
!
Instruction Scope
The runtime instructions direct the agent to autonomously execute setup steps, run shell scripts, read and update a memory file, and fetch external pages from https://botlearn.ai. Those actions are coherent for a reminder skill, but the instructions require files that don't exist in the bundle. The doc also directs immediate delivery of Step 1 without user confirmation (assumes opt-in), which is a behavioral risk and should be explicit to users.
Install Mechanism
This is an instruction-only skill (no install spec, no code files), which is lower install risk. However, the absence of any install or shipped scripts is inconsistent with the SKILL.md's repeated expectations that the agent will run provided shell scripts and read shipped files.
Credentials
No environment variables or external credentials are requested. The skill expects to set LANG for URL construction, which is proportional to its function.
Persistence & Privilege
Metadata enables a daily heartbeat and specifies a memory file for state; the skill intends periodic reminders. always is false (not force-installed), and the autonomous invocation default is in effect. This persistence is coherent for a reminder service but should be explicit to end users (scheduling, opt-in).
What to consider before installing
This skill's documentation instructs the agent to run local setup scripts and to read/write specific files, but the package contains only SKILL.md and no scripts (setup.md, scripts/*, reminder-strategy.md, memory schema are missing). Before installing: (1) ask the publisher for the missing files or an install spec so you can review the actual scripts the agent would execute; (2) confirm whether you consent to the agent autonomously delivering Step 1 immediately and running scheduled daily reminders; (3) verify the external domain (https://botlearn.ai) and understand what content the skill will fetch; (4) question the need for node if you prefer minimal dependencies. Because the manifest and runtime instructions are inconsistent, do not enable this skill until the missing artifacts and origin are provided and reviewed.

Like a lobster shell, security has layers — review code before you run it.

latestvk976anwgbbe2ezmxt2ct6wksch84f7qx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📚 Clawdis
OSmacOS · Linux
Binscurl, node, bash

Comments