Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Harmonia
v1.0.0Check PyTorch, Transformers, and CUDA compatibility. Detect GPU, driver mismatches, and version conflicts in ML environments. Use when the user sets up ML/AI...
⭐ 0· 48·0 current·0 all-time
byAhmed Eladl@ahmed-eladl
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name, description, and commands (harmonia check/doctor/suggest/matrix) align with the stated goal of diagnosing ML environment compatibility. However, the runtime instructions reference system GPU utilities (nvidia-smi, nvcc) and other system state checks that are not declared in the skill's listed required binaries; that omission is an inconsistency that should be clarified.
Instruction Scope
SKILL.md explicitly instructs the agent to install the package (pip install harmonia-ml), run system diagnostics (nvidia-smi, nvcc, glibc, virtualenv status), and offers to run suggested fix commands (pip installs). The instructions do not declare reliance on nvidia-smi/nvcc, and they allow the agent to execute environment-modifying commands if the user asks — which can change the user's system. The skill also claims 'works offline' and 'does not make API calls'; those claims are plausible for a local database but should be verified in the package source before trusting them.
Install Mechanism
Install spec points to 'pip install harmonia-ml' (package on PyPI) which is a typical install path for this functionality and acceptable. The registry metadata uses kind 'uv' (ambiguous in this context) but the SKILL.md explicitly uses pip. No remote arbitrary archive downloads are present. Verify the PyPI package and its source code before installing.
Credentials
The skill requests no environment variables or credentials and does not declare access to any config paths. That is proportionate for a diagnostic tool.
Persistence & Privilege
The skill does not request always:true and does not ask for persistent system-wide configuration changes. It can be invoked by the agent autonomously (platform default), which is normal; combine this with the instruction-scope concerns (ability to run pip install) when deciding whether to allow autonomous runs.
What to consider before installing
This skill appears to do what it claims (diagnose PyTorch/CUDA/transformers compatibility) but you should verify a few things before installing or letting the agent run fixes automatically:
- Verify system tooling: The documentation mentions checking nvidia-smi and nvcc (GPU and CUDA tools) but the skill metadata only requires pip and python3. Confirm that your environment has nvidia-smi/nvcc if you expect full GPU diagnostics.
- Review the PyPI package: 'pip install harmonia-ml' will download code from PyPI — inspect the package (or its GitHub repo) for unexpected network calls or installation scripts before installing.
- Be cautious about automatic fixes: The skill encourages running pip install commands it recommends. Those modify your Python environment. Always preview and approve any install command the agent proposes, and prefer running them manually in a controlled virtualenv.
- Offline claim: The SKILL.md says it 'works offline' with a local DB. That can be fine, but confirm by checking the package source (some tools still fetch metadata online during runtime).
If you want higher assurance, ask the skill author or inspect the harmonia-ml package source on GitHub/PyPI to confirm it only runs local checks and to see whether it invokes nvidia-smi/nvcc and how it handles suggested fix commands.Like a lobster shell, security has layers — review code before you run it.
latestvk97dx6zzarc7v1mdxvnk18kv7s842mx5
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎵 Clawdis
Binspip, python3
Install
Install harmonia (pip install harmonia-ml)
Bins: harmonia
uv tool install harmonia-ml