ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

PomoClaw

v1.0.0

Control the PomoClaw pomodoro timer on the Mac. Use when the user asks to start, stop, pause a pomodoro/pomoclaw/focus timer, check timer status, or when a p...

0· 428·0 current·0 all-time
byVladimir Kozlovskyi@vkozlovskyi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the instructions: controlling a macOS app via the pomoclaw:// URL scheme. Minor mismatch: the skill is macOS-specific (uses the open command and a menu‑bar app) but the registry metadata does not declare an OS restriction.
Instruction Scope
SKILL.md only instructs the agent to invoke macOS URL-scheme commands (open 'pomoclaw://...') and to read the app's status file (~/.pomoclaw/status.json) after using the status command. There are no instructions to read unrelated files, send data to external endpoints, or access unrelated environment variables.
Install Mechanism
Instruction-only skill with no install spec or downloaded artifacts. Lowest-risk model for install behavior.
Credentials
No environment variables, credentials, or config paths are requested beyond the single app-specific status file (~/.pomoclaw/status.json) which is referenced explicitly and consistently with the stated purpose.
Persistence & Privilege
Skill is not marked always:true and uses default autonomous invocation settings; nothing indicates elevated or persistent privileges beyond normal agent skill behavior.
Assessment
This skill appears coherent for controlling a macOS menu‑bar pomodoro app, but verify a few practical things before installing: (1) Confirm you have the PomoClaw app installed from the referenced GitHub releases and trust that source. (2) Ensure the agent will run commands on a macOS node (the SKILL.md relies on the macOS `open` command) — the registry entry does not declare an OS restriction. (3) Understand the skill will read ~/.pomoclaw/status.json after a status call; inspect that file for any sensitive info and confirm its permissions. (4) If you want to avoid accidental autonomous use, keep the skill user-invocable only (default) or restrict agent invocation policies. (5) If you need greater assurance, review the app binary/source on the GitHub repo before use.

Like a lobster shell, security has layers — review code before you run it.

focusvk97fe8ymzrbmxkc14eept7tstd81wv8xlatestvk97fe8ymzrbmxkc14eept7tstd81wv8xmacosvk97fe8ymzrbmxkc14eept7tstd81wv8xmenu-barvk97fe8ymzrbmxkc14eept7tstd81wv8xpomodorovk97fe8ymzrbmxkc14eept7tstd81wv8xtimervk97fe8ymzrbmxkc14eept7tstd81wv8x

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments