Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
**智能随机**:从8个维度、28个话题中均匀随机选择 - ⏰ **定时触发**:可配置的心跳机制,实现定时随机提问 - 🎨 **多维覆盖**:情绪、身体、思维、行动、关系、环境、反思、未来 - 🔧 **高度可定制**:支持话题库扩展、触发概率调整、个性化设置 - 📊 **使用统计**:详细的统计报告和图表分析 - 🔄 **上下文感知**:结合对话历史和个人档案
v1.0.0从8大维度28个话题中均匀随机提问,支持定时触发与个性化配置,结合上下文实现自然、灵活的随机提问体验。
⭐ 0· 74·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The stated purpose—generating timed/random questions and optionally using conversation history—is consistent with the SKILL.md instructions. However the README and example config refer to additional components (install.sh, scripts/random_selector.py, question_stats.py, config default.yaml) that are not present in the file manifest; the example config also references TELEGRAM_BOT_TOKEN and TELEGRAM_CHAT_ID even though no environment variables are declared. These mismatches are unexplained and reduce trust.
Instruction Scope
SKILL.md stays within the expected scope: checking time/config, sampling questions, optionally combining user conversation history/personal profile, announcing the question, and recording timestamps. It instructs writing config under ~/.openclaw and calling a local endpoint (curl to localhost:3000), which are reasonable for this kind of skill. Note: 'use_personal_context' implies accessing conversation/profile data — expected for personalization but worth being explicit about to users.
Install Mechanism
There is no install spec (instruction-only) which is low risk, but the README directs running an install.sh and references scripts and a scripts/ directory that are not included in the package. That discrepancy is concerning: either necessary code is missing (the package is incomplete) or the README is stale/misleading. If an external install script were provided elsewhere, it would raise higher risk; verify where install.sh and scripts would come from before running any installer.
Credentials
The skill declares no required env vars, which matches the instruction-only nature. However the example configuration (example-openclaw.json) includes placeholders for TELEGRAM_BOT_TOKEN and TELEGRAM_CHAT_ID and other settings (backup_enabled, data_retention_days). Those imply optional integrations and data storage/backup behavior not documented in SKILL.md and not declared as required secrets—an inconsistency. If you enable external channels (Telegram) or backups you will need to provide tokens; confirm where those integrations send data and how backups are stored.
Persistence & Privilege
The skill is not always-enabled and uses normal autonomous invocation defaults. The example files include a Heartbeat configuration that would enable periodic triggering (heartbeat.enabled: true, auto_load: true) — that means if you import the example configuration into your system it could start triggering automatically on the schedule. That behavior is expected for a reminder/heartbeat skill but should be considered before enabling (check data retention/backups).
What to consider before installing
This skill's core behavior (random, timed questions) is coherent, but there are several inconsistencies you should resolve before installing: 1) The package manifest lacks the scripts and install.sh referenced in README/HEARTBEAT.md — do not run an installer you didn't audit. 2) The example config exposes placeholders for Telegram tokens and backup settings; enabling external channels or backups may require secrets and could send data off your machine — verify destinations and storage. 3) The skill writes config under ~/.openclaw and may record question/answer history (data_retention_days); review where that data is stored/backed up. 4) If you want to proceed, ask the publisher for the missing scripts or a trusted repository link, inspect any install.sh and scripts for network calls or remote downloads, and only provide channel tokens (e.g., TELEGRAM_BOT_TOKEN) when you trust the code that will use them. If you cannot obtain the missing files or a trustworthy source, treat the package as incomplete and avoid running arbitrary installers.Like a lobster shell, security has layers — review code before you run it.
latestvk9701dqq1mrfqd1df6m07cehjx83jx26
License
MIT-0
Free to use, modify, and redistribute. No attribution required.