ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Flow Cytometry Gating Strategist

v0.1.0

Recommend optimal flow cytometry gating strategies for specific cell types and fluorophores

0· 80·0 current·0 all-time
byAIpoch@aipoch-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (recommend gating strategies) align with the provided Python script and the included fluorophore/cell-type databases. However, SKILL.md labels the skill as 'Hybrid (Tool/Script + Network/API)' and 'Network Access: External API calls' while the declared requirements list no network, no env vars, and no external dependencies — this is an inconsistency that is not justified by the rest of the package.
Instruction Scope
Runtime instructions in SKILL.md only tell the agent to run scripts/main.py with cell type and fluorophore arguments and to output JSON; they do not ask the agent to read arbitrary system files, environment variables, or contact unspecified external endpoints. The security checklist in SKILL.md recommends network/HTTPS and sandboxing, but that is advisory rather than prescriptive.
Install Mechanism
There is no install spec and no external downloads. The package includes a local Python script that will be executed; no package manager or remote archive is pulled during install. This is low-medium risk but execution of supplied code is required to operate the skill.
Credentials
The skill declares no required environment variables, no credentials, and no config paths. That is proportionate for an offline recommendation tool. The mismatch with SKILL.md's claims of external API access should be resolved (either remove that claim or document required credentials/endpoints).
Persistence & Privilege
The skill does not request always:true and does not declare operations that would modify other skills or system-wide settings. Its runtime behavior appears limited to running the included script.
What to consider before installing
The skill appears to be a local Python-based recommendation tool and mostly coherent with its stated purpose, but there are two reasons to be cautious before installing: (1) SKILL.md claims network/API usage and a high risk level while the package declares no network access or credentials — ask the author to explain/confirm whether the script contacts any external endpoints or requires API keys; (2) scripts/main.py was truncated in the package listing here, so review the full file for any of the following before running: imports of network or HTTP libraries (requests, urllib, http, socket), subprocess or os.system usage, direct reads of sensitive files or os.environ, hardcoded endpoints or obfuscated strings, or code that writes to unexpected locations. Run the script in a sandboxed environment (isolated VM or container) and avoid supplying sensitive or patient-identifiable data until you confirm no exfiltration/network calls occur. If you need, provide the full scripts/main.py for a deeper review.

Like a lobster shell, security has layers — review code before you run it.

latestvk9734fc4r8sqaaevezvg3qnmk9838t66

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments