ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Family AI Starter — Complete Home Setup Kit

v1.0.0

Transforms your OpenClaw workspace into a personalized family assistant with homework help, chore tracking, meal planning, calendar, and communications manag...

0· 67·0 current·0 all-time
by@tenlifejosh
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name and description (homework helper, meal planner, chore tracker, family vault) align with the SKILL.md instructions to create configuration files and sub-skills. However, the 'family vault' and the onboarding interview request sensitive items (medical conditions, insurance, emergency contacts, IEPs). The skill does not declare any secure storage, encryption, or access-control mechanisms for these data, which is a capability/requirements gap for a vault-like feature.
!
Instruction Scope
Runtime instructions explicitly instruct the agent to run an interview that collects highly sensitive personal data (health conditions, insurance, schools, emergency contacts) and then auto-generate local configuration and personality files. The SKILL.md also directs proactive behavior (flagging allergies, sending check-ins). There are no limits, retention rules, or explicit constraints (e.g., 'never transmit externally without explicit consent'), so the instruction scope grants broad discretion to collect, store, and act on sensitive data — potentially beyond what some users expect.
Install Mechanism
This is an instruction-only skill with no install spec and no code files; nothing is downloaded or executed during install, which minimizes supply-chain risk. The lack of install steps is coherent with the described behavior of generating local files and templates.
Credentials
The skill declares no required environment variables or credentials, yet it asks which communication platform the family uses and promises to act in family chats. If the skill later integrates with Telegram/Discord/other, platform tokens/credentials will be necessary — these are not declared here. Also, although no secrets are requested up front, the skill asks to store sensitive personal data in workspace files without describing access controls, which is a proportionality/privacy concern.
Persistence & Privilege
always:false (good). The skill will create persistent files (family-config.json, SOUL-family.md, HEARTBEAT-family.md, USER-template.md) in the workspace and defines sub-skills that 'activate automatically when you need it.' Autonomous invocation is allowed by default — combined with stored sensitive data and proactive messaging behavior this increases risk if users haven't explicitly configured where/how messages are sent or who can access the workspace files.
What to consider before installing
This skill coherently implements a family assistant but asks you to provide and store sensitive personal data (medical info, insurance, emergency contacts, IEPs) and to enable proactive behaviors without specifying security controls. Before installing: (1) confirm where workspace files are stored and whether they are encrypted/backed up; (2) decide whether you want to store highly sensitive items in these files — consider redacting or keeping them out of the workspace; (3) require explicit, manual setup of any chat integrations (Telegram/Discord) and never paste tokens into the skill unless you trust the integration path; (4) ask the author to document access controls, retention policy, and an explicit 'do not transmit externally' rule; (5) test the skill in a sandbox workspace first, and limit autonomous actions (disable proactive messages) until you verify behavior. If you cannot get assurances or detailed security docs from the source, treat this as high-privacy-risk and proceed cautiously or avoid installing.

Like a lobster shell, security has layers — review code before you run it.

familyvk975ddzqdjscmfbryg13s77fq18390mkhomeworkvk975ddzqdjscmfbryg13s77fq18390mkhouseholdvk975ddzqdjscmfbryg13s77fq18390mkkidsvk975ddzqdjscmfbryg13s77fq18390mklatestvk975ddzqdjscmfbryg13s77fq18390mkparentingvk975ddzqdjscmfbryg13s77fq18390mksetupvk975ddzqdjscmfbryg13s77fq18390mk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments