ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pose Transfer

v0.1.1

AI-powered fashion model pose transfer tool. Generate pose variations of a model/product image using reference pose images while keeping clothing and backgro...

0· 68·0 current·0 all-time
byCAIPEIJUN@3cpj
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, SKILL.md and the included script consistently call Fal.ai's edit model and require fal-client + FAL_KEY. Requiring an API key for an external image-editing API is expected for this functionality.
!
Instruction Scope
The instructions and script require reading local image files and sending them (as base64 data URLs) to fal.ai—this is expected for image editing but it means your original images are uploaded off-device. Additionally, the script downloads the returned image URL using an HTTPS request with certificate verification disabled (ssl.SSLContext configured with check_hostname=False and verify_mode=CERT_NONE), which is dangerous: it can allow MITM or fetching from attacker-controlled hosts if the returned URL is malicious or DNS/connection is tampered with. SKILL.md does not warn about these privacy and TLS risks.
Install Mechanism
No install spec; user must pip install fal-client per SKILL.md. No remote installers or arbitrary downloads are included in the skill bundle itself, so installation risk is low.
Credentials
Only FAL_KEY is required, which is proportionate to using the fal.ai API. No unrelated credentials or broad environment/config path access is requested.
Persistence & Privilege
always is false and the skill does not request persistent or system-wide privileges. It only writes output files to the specified output directory.
What to consider before installing
This skill will read your local image files and upload them to fal.ai using your FAL_KEY and then download a returned URL. Before installing or running it: (1) Review the script yourself or have someone audit it; (2) Do NOT use sensitive or private imagery you are not comfortable uploading to a third party; (3) Replace or fix the download_image function so it verifies TLS certificates (remove check_hostname=False and CERT_NONE, or use a verified requests.get with verify=True); (4) Verify that the fal-client package you install is the official client and pin a known-good version; (5) Limit and rotate the FAL_KEY you use, and check fal.ai's data retention/privacy policy; (6) Run the tool in an isolated environment (VM/container) if you have any doubt. The main concrete issue to fix in the included code is the disabled SSL verification when downloading returned image URLs.

Like a lobster shell, security has layers — review code before you run it.

latestvk970qbnnh8x8cnqd3ptkvnp3ed8390n7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments