ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Flow Panel Designer

v0.1.0

Design multicolor flow cytometry panels minimizing spectral overlap

0· 71·0 current·0 all-time
byAIpoch@aipoch-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name and description (flow cytometry panel design) match the included Python tool: FlowPanelDesigner implements fluorochrome data, overlap calculations, and a simple assignment heuristic. This is coherent for the stated purpose. However, SKILL.md documents parameters (e.g., --output / -o) and behavior (reading input files, writing output files) that the script does not implement, creating a mismatch between documentation and code.
!
Instruction Scope
SKILL.md refers to file system access, input-file path validation, and an --output parameter; the shipped script only reads a --markers CLI arg (required) and prints results to stdout. Because the documentation implies file read/write and path validation but the code lacks that functionality, an agent following the prose could attempt actions not covered by the code (for example, writing files or validating paths). Also the security checklist mentions preventing ../ traversal, but no code enforces any file path handling because the script does not accept file paths — this is a documentation/code inconsistency that could lead to unsafe assumptions.
Install Mechanism
No install specification and no external dependencies: the Python script uses only the standard library (argparse, itertools). No network downloads or third-party packages are requested, which is proportionate for this utility and low risk from an installation perspective.
Credentials
The skill does not request environment variables, credentials, or config paths. The code contains no network calls or secret-handling logic. This is proportionate to a local data-processing tool.
Persistence & Privilege
The skill does not request persistent or elevated privileges (always: false). There is no install step modifying agent/system configuration and no evidence it would persist beyond running the script.
What to consider before installing
This package is small and the Python script appears to implement the panel-design logic without network access or secret use — that part is fine. However, the SKILL.md and the code disagree: the doc lists an --output parameter and file I/O concerns (path validation, ../ traversal protections) that the script does not implement. Before installing or running: (1) Confirm whether you need file output support — if so, request an updated script or SKILL.md that matches; (2) Run the script in a sandbox or isolated environment (it will execute locally) to validate behavior with non-sensitive test inputs; (3) If you plan to add file write/read features, ensure path sanitization and output-directory constraints are implemented to avoid path traversal; (4) If you will allow autonomous agent invocation, be aware that the agent could run the script locally — ensure the runtime environment restricts file system access as needed. The inconsistencies are likely sloppy/documentation issues rather than malicious, but they should be resolved before trusting the skill for production or sensitive data.

Like a lobster shell, security has layers — review code before you run it.

latestvk9794ha3se0e4jsrqvhsfqdf8n838fs1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments