ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Palette

v1.0.0

Create and manage color palettes using color theory algorithms. Use when designing UIs or building brand color systems.

0· 102·0 current·0 all-time
byBytesAgain2@ckchzh
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (palette generation, export, preview, manage library) match the included SKILL.md and the bash script. The script implements logging, generation stubs and exports relevant to the stated purpose; no unrelated services or credentials are requested.
Instruction Scope
Runtime instructions and the script operate on files under $HOME/.palette and on local terminals. Be aware the script records each command and its arguments into per-command .log files (e.g., create.log, random.log) so any values you pass via env vars or args will be recorded. No steps read or transmit system files or external endpoints.
Install Mechanism
No install spec — instruction-only plus a shipped script. No external downloads or package installs are performed by the skill.
Credentials
The skill requires no credentials or special env vars. It uses $HOME for data storage (expected). There are no unexplained secret requests.
Persistence & Privilege
always is false and autonomous invocation is allowed by default (expected). The skill only creates/reads files under ~/.palette and does not modify other skills or system-wide agent settings.
Assessment
This skill appears coherent and safe for normal use, but review these points before installing or running it: - Data & logs: The script stores all activity and command/argument text in ~/.palette/*.log and a data.jsonl file. Avoid passing secrets or sensitive strings in PALETTE_* env vars or arguments because those values get recorded. - Local writes only: The tool operates locally and does not contact external servers, but it will write exported files to the current working directory when you run export. - Permissions & backups: If you care about privacy, check and tighten permissions on ~/.palette (chmod 700) and back up or delete logs you don’t want retained. - Minor bugs: The script has duplicated case labels for export in the main switch (one branch just logs, another calls the export function). This is a harmless bug but may produce unexpected behavior — consider inspecting or testing the script before relying on exports. - Review before running: Because it's a shell script included in the skill bundle, you can safely inspect it (which you already did). Run it as a normal user (not root) and only after you are comfortable with the log/storage behavior. If you want stricter guarantees, request an implementation that avoids recording full argument strings or adds an opt-out flag for telemetry/logging.

Like a lobster shell, security has layers — review code before you run it.

latestvk9714c2k78tf44rsa3yd920dj5837mn1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments