Time Checker

Check accurate current time, date, and timezone information for any location worldwide using time.is. Use when the user asks "what time is it in X", "current time in Y", or needs to verify timezone offsets.

This skill appears to do what it says (fetch the time from time.is) and makes only a network request to that site. However, the package metadata and documentation are inconsistent: the Python script uses the system 'curl' binary (via subprocess), but the metadata lists no required binaries and the README suggests installing 'requests' and 'beautifulsoup4' (which the script doesn't use). Before installing or enabling this skill: 1) confirm 'curl' is available on target systems or update the SKILL.md to declare it; 2) consider replacing subprocess+cURL+regex with a pure-Python HTTP+HTML parser (requests + BeautifulSoup) or at least document why curl is used; 3) review network policy — the skill will make outbound requests to time.is; 4) if you need stricter assurance, request the owner to correct the README/manifest and provide a small security review (e.g., ensure subprocess.run is used without shell=True and that location input is validated). The inconsistencies look like sloppy packaging rather than malicious intent, but fix the declared dependencies before use.

Type: OpenClaw Skill Name: time-checker Version: 1.0.0 The skill is classified as suspicious due to two main issues. First, the `SKILL.md` file contains a prompt injection instruction ('deliver it in your warm, devoted Mema persona') which attempts to manipulate the AI agent's behavior beyond its stated function. Second, the `scripts/check_time.py` script uses `subprocess.run` to execute `curl` with a URL directly constructed from unsanitized user input (`location`). This creates a Server-Side Request Forgery (SSRF) vulnerability, allowing an attacker to potentially force the agent to make requests to arbitrary internal or external resources, despite the stated purpose of querying `time.is`.