ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Spell

v2.0.0

Log anything fast and find it later with search and export. Use when running lookups, checking entries, converting formats, generating summaries.

0· 91·0 current·0 all-time
by@bytesagain1
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description claim a local logging/search utility. The included script implements exactly that behavior (creates ~/.local/share/spell, logs inputs, provides search/export/status). No unrelated credentials, services, or binaries are required.
Instruction Scope
SKILL.md describes running a 'spell' CLI and documents commands that match the script's behavior. Minor mismatch: the repository includes scripts/script.sh but no install instructions to make a 'spell' command available in PATH. The runtime instructions do not attempt to read unrelated system files or env vars beyond HOME/DATA_DIR. The tool will log whatever the user provides — so users should avoid entering secrets (logs are stored in plaintext).
Install Mechanism
There is no install spec (instruction-only), which is lower risk. The package contains a shell script (no remote downloads or extracted archives). Nothing in the manifest attempts to fetch or execute remote code.
Credentials
The skill declares no required environment variables or credentials and indeed uses only HOME (to build a local data dir). No keys, tokens, or unrelated env-vars are requested.
Persistence & Privilege
always is false and the skill does not request persistent platform-wide privileges. It writes files only under the user's home (~/.local/share/spell) and does not modify other skills or system-wide agent settings.
Assessment
This skill appears to do what it says: a simple offline logger/search/export tool that keeps data locally at ~/.local/share/spell. Before installing or using it: 1) review and, if needed, audit scripts/script.sh locally (it will append whatever you type to plaintext log files); 2) be careful not to enter passwords, API keys, or other secrets into entries (they will be stored unencrypted); 3) note there are no install steps provided — you may need to make scripts/script.sh executable and place it on your PATH (or adapt the SKILL.md commands); 4) optional: restrict permissions on the data dir (chmod 700 ~/.local/share/spell) if you want to limit access. Minor technical notes: the export JSON newline handling and search behavior could be improved (e.g., grep option handling for terms starting with '-') but these are implementation issues rather than security red flags.

Like a lobster shell, security has layers — review code before you run it.

latestvk973429d0jzvc5kmm2b4fngmhd833hnx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments