ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Figure Legend Gen

v1.0.2

Generate standardized figure legends for scientific charts and graphs. Trigger when user uploads/requesting legend for research figures, academic papers, or...

0· 351·0 current·0 all-time
byAIpoch@aipoch-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the included script: a local Python tool that generates figure legends from an image and templates. However, SKILL.md and metadata label the skill as 'Hybrid (Tool/Script + Network/API)' and list 'Network Access' as high risk while the provided code (visible portion) contains no network calls. Also SKILL.md names PIL and pytesseract as dependencies but requirements.txt does not include them. These inconsistencies suggest the metadata/README and code are out-of-sync.
Instruction Scope
Runtime instructions tell the agent to run the local Python script on a provided image path and to install requirements.txt. The script validates and reads local files and writes output; there are no instructions to collect unrelated system data. But SKILL.md contains a 'Network/API' claim and a security checklist referencing HTTPS and external APIs; the instructions do not show what external endpoints would be used. The file listing of main.py was truncated in the package summary; the missing tail could contain network calls — this uncertainty increases risk.
Install Mechanism
No install spec is provided (instruction-only + included script). There are no downloads or external installers in the manifest. This is low-risk from an install-mechanism perspective.
Credentials
The skill declares no required environment variables, no credentials, and no special config paths. The code shown only needs access to the input image and optional output path — proportional to the stated purpose.
Persistence & Privilege
Skill flags indicate normal user-invocable behavior and always:false. The package does not request elevated/system persistence or modifications to other skills. No concern here.
What to consider before installing
Before installing or running this skill: 1) Ask the author to explain why SKILL.md claims network/API usage and a 'High' network risk if the included script appears purely local; confirm there are no external endpoints used. 2) Inspect the full scripts/main.py (the manifest listing was truncated) to verify there are no hidden network calls or code that exfiltrates files. 3) Fix dependency mismatches: requirements.txt does not list Pillow/pytesseract which the README references; ensure required packages are explicit and safe. 4) Run the tool in a sandbox or isolated environment the first time, and do not feed it sensitive or proprietary images until you confirm no external communication occurs. 5) If you need stronger assurance, request a signed provenance or a canonical source (homepage/author repo) and ask for reproducible build/install instructions that do not rely on unreviewed remote downloads.

Like a lobster shell, security has layers — review code before you run it.

Figurevk97799d5r4z92emgbn03t3e2yn8203hnFigure legendsvk97799d5r4z92emgbn03t3e2yn8203hnScientific-writingvk97799d5r4z92emgbn03t3e2yn8203hnlatestvk972j4te2knsq7dsjxdtbts44x833c67

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments