ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

healthcheck

Track water and sleep with JSON file storage

MIT-0 · Free to use, modify, and redistribute. No attribution required.
8 · 13.8k · 760 current installs · 775 all-time installs
by@Stellarhold170NT
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md implements a simple local JSON-based water/sleep tracker, which matches the name and description. However, the runtime commands require Node.js (node -e) but the skill declares no required binaries; that mismatch should be resolved or documented.
!
Instruction Scope
Instructions only read/write {baseDir}/health-data.json (in-scope), but they instruct running inline node -e one-liners where the agent is expected to substitute user values (CUPS, NEW_CUPS). If those substitutions are not strictly validated/parsed as numbers, an attacker-controlled input could lead to shell/JS code injection or unintended filesystem writes. The SKILL.md does not include any sanitization or parsing guidance beyond 'replace CUPS with number'.
Install Mechanism
No install spec (instruction-only), so nothing is written to disk at install time. This is low-risk, but runtime does depend on Node.js being available (not declared).
Credentials
No environment variables, credentials, or config paths are requested — appropriate for a local JSON tracker.
Persistence & Privilege
always:false and standard autonomous invocation allowed. The skill does not request persistent platform-wide privileges or modify other skills' configs.
What to consider before installing
This skill appears to do what it says (local JSON health tracking), but you should check a few things before installing or enabling it: - Ensure the agent/platform will run these commands with Node.js available; the skill fails silently if node is missing even though it doesn't declare node as a required binary. - Verify how the agent substitutes user input (CUPS, NEW_CUPS). Inputs must be parsed/validated as numbers before being inserted into the one-line node -e commands to avoid JS/shell injection. Prefer numeric parsing rather than raw string substitution. - Confirm what {baseDir} resolves to and that the skill is restricted to that directory; otherwise the one-liners could read/write unexpected paths. - If you need stronger safety, ask the maintainer to provide safer code (e.g., a small script file that accepts sanitized arguments) or to declare Node as a required binary and include explicit input-sanitization steps in SKILL.md. Given the injection risk and the undeclared Node dependency, treat this skill as suspicious until those issues are clarified or fixed.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.2
Download zip
latestvk97cjtb2v307k4bwjr00byqm8n80bf9t

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Health Tracker

Simple tracking for water intake and sleep using JSON file.

Data Format

File: {baseDir}/health-data.json

{
  "water": [{"time": "ISO8601", "cups": 2}],
  "sleep": [{"time": "ISO8601", "action": "sleep|wake"}]
}

Add Water Record

When user says "uống X cốc" or "uống nước X cốc":

node -e "const fs=require('fs');const f='{baseDir}/health-data.json';let d={water:[],sleep:[]};try{d=JSON.parse(fs.readFileSync(f))}catch(e){}d.water.push({time:new Date().toISOString(),cups:CUPS});fs.writeFileSync(f,JSON.stringify(d));console.log('Da ghi: '+CUPS+' coc')"

Replace CUPS with number from user input.

Add Sleep Record

When user says "đi ngủ":

node -e "const fs=require('fs');const f='{baseDir}/health-data.json';let d={water:[],sleep:[]};try{d=JSON.parse(fs.readFileSync(f))}catch(e){}d.sleep.push({time:new Date().toISOString(),action:'sleep'});fs.writeFileSync(f,JSON.stringify(d));console.log('Da ghi: di ngu')"

Add Wake Record

When user says "thức dậy" or "dậy rồi":

node -e "const fs=require('fs');const f='{baseDir}/health-data.json';let d={water:[],sleep:[]};try{d=JSON.parse(fs.readFileSync(f))}catch(e){}const last=d.sleep.filter(s=>s.action==='sleep').pop();d.sleep.push({time:new Date().toISOString(),action:'wake'});fs.writeFileSync(f,JSON.stringify(d));if(last){const h=((new Date()-new Date(last.time))/3600000).toFixed(1);console.log('Da ngu: '+h+' gio')}else{console.log('Da ghi: thuc day')}"

View Stats

When user says "thống kê" or "xem thống kê":

node -e "const fs=require('fs');const f='{baseDir}/health-data.json';let d={water:[],sleep:[]};try{d=JSON.parse(fs.readFileSync(f))}catch(e){}console.log('Water:',d.water.length,'records');console.log('Sleep:',d.sleep.length,'records');const today=d.water.filter(w=>new Date(w.time).toDateString()===new Date().toDateString());console.log('Today:',today.reduce((s,w)=>s+w.cups,0),'cups')"

Update Record

To update last water entry:

node -e "const fs=require('fs');const f='{baseDir}/health-data.json';let d=JSON.parse(fs.readFileSync(f));d.water[d.water.length-1].cups=NEW_CUPS;fs.writeFileSync(f,JSON.stringify(d));console.log('Updated')"

Delete Record

To delete last water entry:

node -e "const fs=require('fs');const f='{baseDir}/health-data.json';let d=JSON.parse(fs.readFileSync(f));d.water.pop();fs.writeFileSync(f,JSON.stringify(d));console.log('Deleted')"

Notes

  • Uses Node.js built-in modules only
  • File auto-created if missing
  • All timestamps in ISO8601 format

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…