Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Dataview

v2.0.0

Explore CSV and JSON files with quick queries, filters, and aggregation. Use when inspecting data, running queries, filtering rows, aggregating.

⭐ 0· 143·0 current·0 all-time

by@bytesagain1

MIT-0

Download zip

LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Benign

medium confidence

✓

Purpose & Capability

The name/description (DataView: inspect/query/filter/aggregate CSV/JSON) matches the provided SKILL.md and script: commands create/read local logs and produce exports. Required tools (date, wc, du, grep, tail, cat, sed) are exactly the standard utilities the script uses.

✓

Instruction Scope

SKILL.md instructs only on using local commands and the script implements those commands. The runtime behavior is limited to reading/writing files under the user's HOME data directory and searching those logs — it does not attempt to read system config, other users' data, or call external endpoints in the visible code.

✓

Install Mechanism

There is no install spec (instruction-only), and the included script is a plain shell script. Nothing is downloaded from external URLs or extracted; no additional packages are installed by the skill itself.

✓

Credentials

No environment variables or credentials are required. The script relies on HOME to determine the data directory (standard and proportional). There are no requests for unrelated secrets or service tokens.

✓

Persistence & Privilege

always:false and user-invocable; the skill only creates and writes files in its own data directory (~/.local/share/dataview). It does not request elevated privileges or attempt to modify other skills or system-wide agent settings in the visible code.

Assessment

This skill appears coherent and local-only: it logs actions and stores/exports them under ~/.local/share/dataview and does not ask for credentials or perform network calls in the visible code. Before installing, consider: (1) inspect the complete script file on disk — the script content in the review input was truncated, so confirm the remainder contains no unexpected behavior; (2) avoid writing sensitive data (passwords, API keys, or PII) into dataview entries since they are stored and searchable in plain text and exported to files; (3) the JSON export code uses simple text assembly and may have formatting quirks — verify exported files before sharing. If you need higher assurance, run the script in a sandboxed account or review the full file contents locally prior to installation.

Like a lobster shell, security has layers — review code before you run it.

latestvk976ar1hyggh4kzcxhdpqc6bmh8354vh

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

Dataview

License

Comments