ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

经期管理 / Period Tracker

v1.2.0

经期管理 / Period Tracker - 女性健康周期追踪工具。全自然语言交互,无需记命令。功能:(1) 经期记录 - 说'月经来了'即可记录;(2) 症状记录 - 说'痛经2级'或'心情烦躁';(3) 周期预测 - 说'下次月经什么时候';(4) 排卵期管理 - 受孕概率日历;(5) 定时提醒 - 说'帮...

0· 160·0 current·0 all-time
by@sosshuai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (period tracking, ovulation, reminders) aligns with the code and SKILL.md. Minor mismatch: SKILL.md/registry declare no required binaries, but the code optionally invokes 'clawhub' (for update checks) and uses the system 'crontab' command for reminders. These are plausible for the stated purpose but should be noted.
Instruction Scope
Runtime instructions and scripts operate on local data (~/.openclaw/workspace/period_tracker/data.json), run local commands (python3, crontab), and schedule cron jobs. They do not call external web endpoints or read unrelated system credentials. The reminder script parses and rewrites the user's crontab — this is expected for a reminder feature but is a privileged local operation.
Install Mechanism
No install spec (instruction-only with bundled scripts). Nothing is downloaded from external URLs or extracted. Risk from install mechanism is low.
Credentials
The skill requests no environment variables or external credentials. All data is stored locally in a JSON file; the requested access (filesystem and crontab) is proportionate to the stated features.
Persistence & Privilege
The skill does not set always:true and does not request elevated system permissions, but setup_reminder.py will read and overwrite the user's crontab to add scheduled jobs. This grants the skill persistent scheduled execution (as the user) and should be confirmed by the user before enabling reminders.
Assessment
What to consider before installing: - Privacy: all health data is stored locally at ~/.openclaw/workspace/period_tracker/data.json; it is not uploaded by the code. If you want stronger protection, back up/encrypt or delete the file when not needed. - Crontab changes: the reminder script reads and rewrites your user crontab to add scheduled notifications. Review the exact cron lines before allowing setup and be aware it will run the script as your user at scheduled times. - Local commands: the code may invoke 'crontab' and (optionally) 'clawhub' to check updates. If you do not have clawhub installed, that call is wrapped in try/except and will silently do nothing. If you do have clawhub, update-check behavior will run the local binary — consider whether you trust that tool. - Version mismatch: registry metadata shows 1.2.0 while the script's CURRENT_VERSION is 1.1.0 — not a security issue by itself but indicates maintenance/versioning inconsistency you may want to confirm. - Audit before enabling: inspect the cron entries that will be added and the data file contents if you have sensitive notes. If you only want ephemeral use, avoid enabling persistent reminders or delete cron entries after use. Overall this appears coherent and consistent with a local period-tracker; the primary risks are local (crontab modification and storage of sensitive health data) rather than unexplained network or credential access.

Like a lobster shell, security has layers — review code before you run it.

latestvk97eaknd928dy4ve3knpxysz2n834hp8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments