Dead Or Not
v1.0.2A "life check" skill that periodically checks if the user is still responsive. If the user hasn't messaged for a set time, it asks if they're okay, and if no...
⭐ 1· 354·0 current·0 all-time
byYuqiao Tan@trae1oung
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose (send an email alert when a user is unresponsive) legitimately requires an outbound email capability and credentials; the included scripts implement that. However, the registry metadata lists no required environment variables/credentials despite SKILL.md and the scripts requiring SMTP_EMAIL, SMTP_PASSWORD, and NOTIFY_EMAIL. That metadata mismatch is unexpected and reduces transparency about what secrets are needed.
Instruction Scope
SKILL.md instructs creating a config file in ~/.openclaw/apps/deadornot containing plaintext SMTP credentials and scheduling a cron job that runs the provided check.sh. The instructions are ambiguous about how the agent will invoke send_mail.py with the same environment (send_mail.py reads env vars while the config file is sourced by the shell script). The guide also instructs modifying the user's crontab — a persistent action — and gives no guidance to secure the config file (permissions) or to limit which SMTP server/account is used.
Install Mechanism
There is no external install script or network download; the skill is delivered as files (SKILL.md + two scripts). No third-party packages are fetched at install time. This is low risk from an install-mechanism perspective.
Credentials
The skill requires sensitive credentials (SMTP_EMAIL and SMTP_PASSWORD) and an emergency contact email; these are proportionate to sending email alerts but the registry does not declare them. Storing SMTP_PASSWORD in a plaintext config in the user's home directory is potentially unsafe. Also, send_mail.py expects credentials to be available as environment variables — SKILL.md relies on sourcing the config via shell but does not spell out how the agent will preserve/pass those variables when invoking the Python script.
Persistence & Privilege
The skill modifies user state persistently: it creates ~/.openclaw/apps/deadornot, writes config/last_seen/last_asked/check_flag files, and the guide directs adding a cron entry to the user's crontab. It does not request 'always: true' or system-wide privileges, and it does not modify other skills or system config beyond the user's crontab and files in the user's home directory.
What to consider before installing
Things to consider before installing:
- Metadata mismatch: the registry claims no required env vars, but the skill needs SMTP_EMAIL, SMTP_PASSWORD and NOTIFY_EMAIL. Treat that as a transparency red flag — ask the publisher why credentials were not declared.
- Credentials handling: the SKILL.md tells you to store SMTP_PASSWORD in ~/.openclaw/apps/deadornot/config in plaintext. If you proceed, create a dedicated sender account (not your primary email), use an app-specific password if available, and set strict file permissions (chmod 600) on the config directory and file.
- Cron and persistence: the instructions add a crontab entry (persistent). Review and approve the exact crontab line before installing; consider running the script manually for testing before scheduling it.
- Execution ambiguity: send_mail.py reads credentials from environment variables, while the config file is a shell file that check.sh 'source's. Ensure the agent or whatever calls send_mail.py also sources the config (or modify send_mail.py to read the config file directly) so credentials are not lost or accidentally exposed.
- Review network target: the default SMTP_SERVER is smtp.qq.com. Confirm that you trust the chosen SMTP provider and that credentials are appropriate for outbound email through that server.
- Trust and provenance: the skill has no homepage and an unknown owner id. If you do not trust the source, do not provide real credentials. Consider auditing or sandboxing the skill (run scripts in an isolated account/VM) before using it with real contact information.
- Safety checklist: confirm the skill only sends to NOTIFY_EMAIL (the code does so), test with a dummy recipient, restrict permissions on the config, and consider alternatives (e.g., using a secure mail relay or authenticated API rather than storing plaintext credentials).
If you want help: I can (1) produce a safer version of send_mail.py that reads a config file directly and avoids relying on shell-sourced env vars, (2) generate a safer cron setup example that includes logging and a dry-run mode, or (3) suggest safer authentication patterns (app-specific passwords or tokenized relay services).Like a lobster shell, security has layers — review code before you run it.
latest
Yuqiao Tan@trae1oung
DownloadDeadOrNot
Daily check to see if user is still responsive - asks if okay, sends email if no reply.
How It Works
- User messages → updates last_seen timestamp
- Cron runs daily → sets check_flag if timeout exceeded
- Agent reads check_flag → asks user if they're okay
- No reply → calls send_mail.py to notify emergency contact
Quick Start
1. Initialize
mkdir -p ~/.openclaw/apps/deadornot
2. Configure
Create config file ~/.openclaw/apps/deadornot/config:
NOTIFY_EMAIL=your_email@example.com
MESSAGE=User is unresponsive, please check on them!
TIMEOUT_HOURS=24
ASK_HOUR=10
SMTP_SERVER=smtp.qq.com
SMTP_PORT=465
SMTP_EMAIL=your_qq@qq.com
SMTP_PASSWORD=your_auth_code
3. Set up Cron
crontab -l | { cat; echo "0 0 * * * /path/to/check.sh >> /path/to/log.txt 2>&1"; } | crontab -
Configuration
| Variable | Default | Description |
|---|---|---|
| TIMEOUT_HOURS | 24 | Hours without message before check |
| NOTIFY_EMAIL | - | Emergency contact (required) |
| MESSAGE | "User is unresponsive!" | Email content |
| ASK_HOUR | 10 | When to ask (0-23) |
| SMTP_SERVER | smtp.qq.com | SMTP server |
| SMTP_PORT | 465 | SMTP port |
| SMTP_EMAIL | - | Sender email |
| SMTP_PASSWORD | - | SMTP auth code |
Comments
Loading comments...