ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

技能使用记录与统计(Nicki)

v1.1.0

技能调用记录与统计分析。自动追踪所有技能调用,无需用户操作。支持日/周/月/季/年维度的技能使用统计报告。安装后直接使用,无需配置。

0· 80·0 current·0 all-time
by@superuser-fank
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The description claims automatic tracking of all skill invocations (via a HEARTBEAT every 2 hours) and active insertion of notifications into replies. The shipped artifacts are only log.py (append a record) and query.py (generate reports) operating on a local usage.json. There is no code to scan session history, run periodic heartbeats, or hook into agent responses. That mismatch means the skill does not actually provide the advertised automatic capability.
!
Instruction Scope
SKILL.md instructs automatic session-history scanning and telling users 'just now you called XXX' at the end of replies — actions that would require agent hooks and access to session logs. The provided scripts neither inspect session state nor modify agent replies; they only accept explicit CLI arguments. The instructions are therefore overly broad and grant the skill capabilities it doesn't implement.
Install Mechanism
No install spec or external downloads; code is included in the skill bundle and performs only local file I/O. This is a low-risk installation mechanism.
Credentials
No environment variables, no credentials, and no network access in the code. The scripts only read/write a local usage.json in the skill directory — this is proportionate to a local usage-logging utility. Note: if the advertised heartbeat/session scanning were implemented, it would likely require access to session/history data (sensitive) and possibly additional privileges.
Persistence & Privilege
always is false; the skill does not request persistent system-wide privileges or modify other skills. It stores data in its own data/usage.json file only.
What to consider before installing
This skill is inconsistent: it promises automatic background tracking and reply-injection but only ships two simple CLI scripts that manually log to and query a local JSON file. Before installing, decide whether you trust a skill that would need to access session histories or modify agent replies. If you only want manual logging/reporting, this bundle is harmless — it stores records locally and has no network calls. If you expect automatic behavior, ask the author for the missing integration code (heartbeat scheduler, session-history reader, and reply hook) and review any such code carefully for what session data it reads and whether it transmits data off the machine. Also: confirm how the agent is expected to invoke log.py automatically (agent hooks/permissions) and audit that integration path for privacy risks.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c0cv5v5cg3nsrb9xmnb1qds83tzv7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments