Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Aight Utils
v1.0.0Native Aight app integration for creating reminders, tasks, triggers, and items. Use when user mentions deadlines, reminders, tasks, or tracking.
⭐ 0· 63·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The README asserts a "Native Aight app integration" but the skill is instruction-only and declares no credentials, API endpoints, or platform commands to actually deliver reminders/tasks to an Aight account. The content primarily defines JSON payload shapes, ID/date rules, and label conventions — useful as a formatter or template, but not sufficient for a true native integration. This mismatch (integration claim vs. lack of delivery/authentication mechanism) is inconsistent.
Instruction Scope
The SKILL.md instructs the agent to parse dates, generate IDs, set labels, and on error to write logs to .learnings/ERRORS.md and to create fallback files in memory/YYYY-MM-DD.md. Those are file-system operations affecting user-visible paths but the skill's metadata did not declare any required config paths. The instructions also reference integration points with other skills (proactive-agent, memory-manager, watchdog) without describing how to call them. Overall the instructions are open-ended and include writing to local files unexpectedly.
Install Mechanism
No install spec or code is included (instruction-only). That lowers supply-chain risk — nothing is downloaded or written by an installer. This is consistent with a template/helper-style skill, but intensifies questions about how the claimed integration is actually achieved by the hosting platform.
Credentials
The skill requires no environment variables or credentials, yet claims native app integration. A native integration would normally require authentication tokens or at least a declared primary credential. Additionally, the instructions reference writing to specific local paths (.learnings and memory/*) without declaring those as required config paths. Lack of declared credentials or config paths makes the claimed capability disproportionate to the declared requirements.
Persistence & Privilege
always:false and no autonomous-disable flags — normal. The skill does instruct writing to local files for errors and fallback memories, which is a form of persistent side-effect on the agent host. That behavior is permitted but should be disclosed; nothing about the skill attempts to modify other skill configs or request permanent elevated platform privileges.
What to consider before installing
This skill looks like a formatter/template for Aight reminders and tasks rather than a functioning native integration. Before installing, ask the publisher or platform: (1) How does this skill actually deliver items to my Aight account — what API/endpoints/authentication does it use? (2) Where will it write logs and fallback files, and can that be configured or disabled? (3) Will it ever request or require credentials from me at runtime? Because it is instruction-only and declares no credentials, it cannot, by itself, reach your Aight app — the hosting platform or another skill must perform delivery. If you still want to try it: test in a safe environment (no sensitive data), confirm file-write locations, and only enable it if you understand which component will be responsible for authenticating to Aight. Additional information (explicit API/auth details or a platform integration document) would raise my confidence toward 'benign'; absent that, treat it as potentially incomplete or misdesigned.Like a lobster shell, security has layers — review code before you run it.
latestvk97ex0vg01ytgqkern7n6fnsxx83d3ad
License
MIT-0
Free to use, modify, and redistribute. No attribution required.