ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Circos Plot Generator

v1.0.0

Use blind-review-sanitizer for academic writing workflows that need structured anonymization, explicit assumptions, and clear output boundaries for double-bl...

0· 23·0 current·0 all-time
byAIpoch@aipoch-ai·duplicate of @aipoch-ai/blind-review-sanitizer-1
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Registry metadata lists the skill as "Circos Plot Generator" while SKILL.md and scripts/main.py clearly implement a "blind-review-sanitizer" for anonymizing manuscripts. This name/description mismatch is a strong incoherence signal: either the skill was mispackaged or mislabeled, which could be accidental but may also indicate sloppy or malicious repurposing. Other requested resources (none) align with the anonymizer purpose.
Instruction Scope
SKILL.md instructs running the bundled local Python script, validating input/output paths, and performing local-only anonymization. The instructions do not direct the agent to read arbitrary system files or call external endpoints; they emphasize manual review and security guardrails. Behaviour described stays within expected scope of a sanitizer.
Install Mechanism
This is an instruction-only skill (no install spec); a local script is bundled and meant to be executed directly. No network downloads or external installers are invoked. Minor concern: requirements.txt lists 'docx' (one-word) while SKILL.md refers to 'python-docx' — that mismatch could cause an unexpected dependency to be installed if someone blindly runs pip install -r requirements.txt.
Credentials
The skill requests no environment variables, no credentials, and no config paths — appropriate for a local-file anonymizer. There are no declared secrets or unrelated credentials.
Persistence & Privilege
Skill does not request permanent presence (always:false) and does not claim to modify other skills or global agent configuration. It operates on local files and writes output to provided output paths only.
What to consider before installing
Do not install or run this skill until the naming mismatch is resolved. The bundle's code and SKILL.md implement a manuscript anonymizer, but the registry name ("Circos Plot Generator") contradicts that. Ask the publisher/owner to explain the mismatch and provide provenance (homepage, repository, or author identity). If you proceed: 1) inspect the full scripts/main.py file locally for hidden behavior (network calls, exec, or obfuscated code) before executing; 2) correct or confirm the dependency: pip package should likely be python-docx not 'docx' (installing the wrong package could pull in an unexpected project); 3) run the script in an isolated sandbox on non-sensitive test documents and use the provided python -m py_compile and --help checks; 4) verify outputs carefully (metadata, acknowledgments, and removed-items logs) and never run it on sensitive unpublished manuscripts until you trust the source. If the owner cannot explain the registry name mismatch, treat the package as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk975wvnprj3zy7ppw9gnwg9jds843ett

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments