ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Baby Words Tracker

v1.0.0

记录和追踪宝宝学说话过程的智能助手。当用户说"记宝宝说/说了"或"记录宝宝词汇"时自动触发。支持多种语言(普通话、粤语、英语等),自动分类统计单字词、双字词、三字词和句子,支持括号标注法(如"(手)机"表示宝宝只发了"机"字),自动同步到飞书云文档,并生成语言发展报告。

0· 36·0 current·0 all-time
by@suiclaw
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (record and track baby words, categorize, sync to Feishu) align with the included files and instructions. However, the README and SKILL.md mention automatic Feishu synchronization and an optional feishu_doc_token, yet the skill metadata declares no required credentials or env vars — this mismatch is unexpected and unexplained.
Instruction Scope
SKILL.md explicitly tells the agent to parse input, update a local database at memory/baby-words-database.json, and '同步飞书' (sync to Feishu cloud document). The instructions do not tell the agent to read unrelated system files, but they do direct communication with an external service (Feishu). The instructions are otherwise specific about the DB path and record format, but vague about the exact Feishu API endpoints and how auth is obtained.
Install Mechanism
No install spec (instruction-only) and the single Python helper is a simple initializer that only prints a JSON structure. Nothing in the install surface writes or executes downloaded code, so install risk is low.
!
Credentials
The skill requires access to an external Feishu document (sensitive personal data). The README shows a feishu_doc_token example but the skill metadata lists no required env vars or primary credential. Requesting or using a cloud doc token is proportionate to the stated Feishu-sync feature, but failing to declare it is a red flag: it's unclear how the token is supplied, stored, or restricted. This ambiguity increases the risk of accidental exposure of children's data.
Persistence & Privilege
The skill is not always-enabled, is user-invocable, and does not request elevated platform privileges or modify other skills. It writes to a local memory path (memory/baby-words-database.json) which is consistent with its purpose.
What to consider before installing
This skill appears functionally coherent except for how it handles Feishu (飞书) syncing: the README and SKILL.md mention a feishu_doc_token but the skill metadata does not declare any required credentials. Before installing, ask the author how Feishu authentication is provided and stored. If you plan to use Feishu sync, prefer a scoped, short-lived token limited to a single document; do not reuse broad account tokens. Verify the skill will only write to the advertised memory/baby-words-database.json and will not transmit other files (e.g., audio, system files). If you have privacy concerns about storing child language data in a third-party cloud, disable Feishu sync or run the skill in a sandbox with network disabled. Running scripts/init_database.py locally is safe for inspecting the DB schema. If the author cannot clearly explain where the Feishu token is stored or how network sync is performed, treat the skill as risky and avoid installing it on systems with sensitive data.

Like a lobster shell, security has layers — review code before you run it.

latestvk976eprseejxy8re8v0228yq5d84hkyk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments