Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Graphical Abstract Wizard
v0.1.0Generate graphical abstract layout recommendations based on paper abstracts
⭐ 0· 61·0 current·0 all-time
byAIpoch@aipoch-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (generate graphical abstract recommendations) matches the included script and SKILL.md usage instructions. The skill does not request unusual credentials or system-level access, and the outputs (layout suggestions and art prompts) align with the stated purpose. Minor mismatch: requirements.txt only contains 'dataclasses' (which is part of stdlib for Python 3.8+), so the dependency list seems unnecessary or incorrect.
Instruction Scope
SKILL.md instructs running the local Python script and piping abstracts via stdin or arguments — appropriate for the task. However, SKILL.md contains contradictory statements about network/API use: it lists 'OpenAI API (optional, for enhanced analysis)' in Dependencies yet the risk table claims 'Network Access: No external API calls'. That inconsistency leaves unclear whether the runtime will call external APIs. The instructions also refer to prompt generation for Midjourney/DALL‑E (which is fine if only producing prompts) but do not clearly state whether the script will attempt to call any external image-generation APIs itself.
Install Mechanism
No install spec; skill is instruction-only plus an included script. Only pip install -r requirements.txt is recommended; that file contains a single entry 'dataclasses' which is unnecessary for Python 3.8+, indicating sloppy packaging but not an active install-risk (no remote downloads, no third-party install hosts listed).
Credentials
The skill declares no required environment variables or credentials, which is proportional. However, SKILL.md mentions optional OpenAI API usage without declaring a corresponding required env var (e.g., OPENAI_API_KEY) or explaining how the key is supplied. This is an inconsistency to clarify: if the script can call OpenAI (or other APIs), it should document required credentials and network behavior. Also check for implicit credential use in the code (requests to urls, use of environment keys) before trusting it.
Persistence & Privilege
The skill does not request permanent presence (always:false) and does not declare any config path or system modifications. Running the script locally has typical file I/O (read abstract, write output) which is expected and proportionate.
What to consider before installing
This skill mostly looks like a local script that extracts concepts and emits layout suggestions and prompts — which is plausible for the stated purpose — but there are inconsistencies you should clear up before running it on sensitive data: 1) Inspect the full scripts/main.py for any outbound network calls (search for 'requests', 'urllib', 'http', 'openai', 'socket', 'subprocess', 'os.system', 'eval' or similar). 2) If the script uses the OpenAI API, confirm how it expects the API key to be provided and only set that key if you trust the code/author; avoid exposing high-privilege keys. 3) The requirements.txt only lists 'dataclasses' (unnecessary on Python 3.8+); ensure no undeclared third-party libraries are imported in the code. 4) Run the script in an isolated/sandboxed environment (container or VM) initially and test with non-sensitive abstracts. 5) If you want a firmer verdict, provide the complete, untruncated scripts/main.py; I can re-check for hidden network endpoints, subprocess calls, or file-path traversal vulnerabilities. If you need, I can also provide the exact grep commands to find risky patterns quickly.Like a lobster shell, security has layers — review code before you run it.
latestvk97ddwjqbxvbqappz9dsdmhvt183esqy
License
MIT-0
Free to use, modify, and redistribute. No attribution required.