Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Passport

v2.0.0

Validate and format passport or identity document data. Use when checking fields, validating numbers, generating fixtures, linting records.

⭐ 0· 111·0 current·0 all-time

by@bytesagain1

MIT-0

Download zip

LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Benign

high confidence

✓

Purpose & Capability

Name/description (validate/format passport data) align with the provided CLI script and SKILL.md. The script implements the commands documented (check/validate/generate/format/lint/etc.) and stores records under ~/.local/share/passport, which is consistent with a local devtool.

ℹ

Instruction Scope

Instructions and the script operate entirely on local files and standard CLI utilities. Important privacy note: the tool logs every input and action in plaintext (per-command .log files and history.log). That behavior is expected for this kind of tool but is a data-exposure risk if you store real passport/PII without encryption or access controls.

✓

Install Mechanism

No install spec (instruction-only) and provided script is self-contained Bash. No remote downloads or package installs are used; nothing is written outside the user's home directory by default.

✓

Credentials

No environment variables, credentials, or external config paths are requested. The only filesystem access is to a subdirectory of the user's home, which is proportionate to the tool's function.

✓

Persistence & Privilege

Skill does not request elevated privileges and is not forced-always. It persists data under ~/.local/share/passport (its own data) which is normal for a local CLI; it does not modify other skills or system-wide agent settings.

Assessment

This skill appears to do what it claims: a local CLI that stores and manages passport/ID test data. Before using with real personal data, consider the privacy implications: the tool writes every input into plaintext log files (~/.local/share/passport/*.log and history.log). If you'll store sensitive PII, either avoid using real data, change DATA_DIR to a secure location, restrict filesystem permissions (e.g., chmod 700 on the directory), or add encryption. Also inspect the script yourself and run it offline to confirm no network activity in your environment. If you need the agent to use this skill autonomously, remember any inputs it sends to the CLI will be recorded locally.

Like a lobster shell, security has layers — review code before you run it.

latestvk9748ppqpwgwzwfk34vkckcebd8349h4

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

Passport

License

Comments