Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
bedtime-story-generator
v1.0.0A sleep and relaxation skill that sends AI-generated bedtime audio stories mixed with ambient background music as a voice message on WhatsApp, WeChat, or Fei...
⭐ 0· 54·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md declares that ffmpeg and ffprobe are required to create and mix audio, but the registry metadata shown at the top of the report lists no required binaries — a mismatch. Aside from that, the skill's actions (download story/bgm from OSS, mix audio, send via OpenClaw messaging channels) are coherent with the stated bedtime-audio purpose.
Instruction Scope
Runtime instructions tell the agent to read local OpenClaw account files (~/.openclaw/openclaw-weixin/accounts/*.context-tokens.json) to extract a user ID and to call openclaw message/send and openclaw cron commands. Reading account context files and scheduling autonomous push messages expands scope beyond a one-off chat; it touches local messaging account data and enables future unsolicited sends (proactive mode).
Install Mechanism
No install spec / no code files — instruction-only skill. That is the lowest install risk (nothing new written by an installer). The README suggests a git clone for manual installation, but the registry itself has no automated installer.
Credentials
The skill declares no required environment variables, which is good, but the SKILL.md instructs reading local OpenClaw account JSON files that likely contain account identifiers and possibly tokens. Even if the provided Python snippet only prints a UID, it opens and parses credential-containing files — this is sensitive and should be justified by the need to target the user's messenger account.
Persistence & Privilege
The skill proposes adding a persistent cron job (dozytale-nightly) to proactively send scheduled audio messages. always:false (good), but the cron grants the skill recurring autonomous capability; the user should explicitly opt into and understand the scheduled pushes.
What to consider before installing
Before installing, verify these points: (1) The SKILL.md requires ffmpeg/ffprobe but the registry metadata omitted them — ensure ffmpeg is installed if you want the skill to work. (2) The skill reads OpenClaw account files in your home directory to find messenger user IDs; this accesses files that may contain account identifiers or tokens. Only proceed if you trust the skill and are comfortable with it reading those local files. (3) The skill asks to register a cron job that will send messages proactively — confirm you want automated daily pushes and which account will receive them. (4) Check the OSS URLs (ai-display.oss-cn-beijing.aliyuncs.com) and confirm the publisher/repo (README references a GitHub repo) before cloning any code. If you have doubts, ask the publisher for a hosted source repo, or inspect the repository contents locally before enabling the cron or granting long-lived access.Like a lobster shell, security has layers — review code before you run it.
latestvk9787w0cskpwcagxea0ymtp93n83ns47
License
MIT-0
Free to use, modify, and redistribute. No attribution required.