ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

work-log

v1.0.6

Automated work log management with daily/weekly report generation. Use when users need to record, track, or manage work tasks, generate daily/weekly reports...

0· 141·0 current·0 all-time
bywilliam-w@wwl52
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description match the instructions: the skill reads/writes a local JSON work-log, generates daily/weekly reports, and manages add/delete/query operations. Requiring a local path for storing logs (~/.workbuddy/work-log/logs.json) is coherent for a work-log tool.
!
Instruction Scope
The SKILL.md instructs the agent to scan the user's log file across all dates for outstanding tasks and to 'create automatic reminders' that run hourly during work hours until tasks are completed. It does not specify the mechanism for creating reminders (local scheduler, platform automation, external service), where reminder messages are delivered, or what permissions are needed. That vagueness grants broad discretion to the agent and could lead to persistent background reminders or use of other subsystems beyond the stated local file operations.
Install Mechanism
No install spec and no code files — instruction-only. This minimizes install-time risk because nothing is downloaded or written by an installer. Runtime behavior is the primary surface to review.
Credentials
The skill requests no environment variables, no credentials, and no config paths other than storing logs under the user's home directory. This is proportionate to the stated purpose.
Persistence & Privilege
always:false (normal). However, the skill expects to create and later cancel 'automatic tasks/reminders.' Creating persistent scheduled reminders is effectively granting ongoing presence/behavior outside a single conversation. Because the SKILL.md is vague about the mechanism and destinations for reminders, confirm how automations will be created and where reminders will appear before enabling autonomous invocation.
Scan Findings in Context
[no_code_files_or_installs] expected: The repository is instruction-only (SKILL.md only); the regex-based scanner had no code to analyze. This is expected for a skill that defines runtime behavior in prose, but it means the security surface is entirely in the instructions.
What to consider before installing
Before installing: 1) Ask the author how automated reminders are implemented — where will reminders be delivered (chat, system notifications, email, calendar, third-party service)? What scheduler or automation API is used? 2) Confirm that all data stays local (only ~/.workbuddy/work-log/logs.json) and is not sent to external endpoints; if sensitive, request encryption or allow a custom path. 3) If the skill will create scheduled/recurring jobs, request visibility and manual control to list/remove those jobs so you can stop unwanted background reminders. 4) If you plan to allow autonomous invocation, consider temporarily enabling the skill in a limited/test environment to observe behavior, or require explicit user approval for creating automations. 5) If any reminders or reports are to be delivered outside the agent (email, calendar, push), deny installation until you verify which external services are used and what credentials (if any) are required.

Like a lobster shell, security has layers — review code before you run it.

latestvk972e69kthr35sh35hjcjqngrx84d7nq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📝 Clawdis

Comments