ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pixel Art Processing

v1.0.0

Pixel art sprite sheet processing tool — video frame extraction, GIF/frames conversion, sprite sheet compose/split, image matting, pixelation, resize, crop,...

1· 37·0 current·0 all-time
by@anlinxi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill claims a pixel-art/sprite-sheet processing pipeline and includes code and docs consistent with that purpose (ffmpeg, rembg, Pillow, OpenCV). However SKILL.md and scripts disagree on key operational details: SKILL.md recommends running a backend at http://localhost:8000 and mentions run_api.py and docker-compose, but the deploy script sets API port 8200 and refers to a FRAME_RONIN_DIR outside the bundle. Several referenced project files (run_api.py, docker-compose.yml, backend/frontend directories) are not present in the manifest. These mismatches are incoherent with a ready-to-run backend package.
!
Instruction Scope
Runtime instructions ask you to deploy a backend and start workers, use ffmpeg/rembg/redis, and open browser tools — which fits the stated features — but SKILL.md references paths and files that do not exist in the bundle. The deploy script will create/work in workspace directories and may spawn uvicorn/worker processes; there is at least one obvious bug (typo FRAME_RORONIN_DIR) that would raise a runtime NameError during environment checks. The instructions grant the agent broad discretion to start servers/processes locally despite missing/incorrect entrypoints.
Install Mechanism
There is no platform install spec (instruction-only), but a requirements.txt is provided (scripts/requirements.txt) and SKILL.md tells users to pip install -r requirements.txt or use docker-compose. The Python dependencies listed (fastapi, rembg, ffmpeg-python, opencv, etc.) are reasonable for image/video processing. No remote downloads from untrusted URLs are present in the manifest. Note: rembg may download model weights at first run, which is an external network action to be aware of.
Credentials
The skill does not request credentials or privileged environment variables. It optionally reads REDIS_URL and USE_REDIS and sets local workspace env vars (UPLOAD_DIR, OUTPUT_DIR, TEMP_DIR). This is proportionate for a local processing service.
Persistence & Privilege
No special persistence or always:true flag is requested. The skill's deploy scripts create workspace directories and spawn local processes (uvicorn, rq worker) — normal for a local service but worth attention before running. It does not attempt to modify other skills or global agent configuration.
What to consider before installing
This bundle appears to implement the claimed pixel-art processing features, but there are multiple red flags you should consider before running it locally: - Missing / mismatched files: SKILL.md refers to run_api.py, docker-compose.yml and a backend at port 8000, but the included deploy.py uses port 8200 and expects a FRAME_RONIN_DIR outside the package. Several referenced backend/frontend files are not in the manifest. Expect runtime failures if you follow the Quick Start as written. - Runtime bugs: deploy.py contains a clear typo (FRAME_RORONIN_DIR) that will raise an exception during environment checks. The deploy script also assumes psutil is available in stop logic but psutil is not listed in requirements. These bugs indicate the package wasn't validated end-to-end. - External downloads: rembg is listed and usually downloads ML model weights on first use; ffmpeg is required but not bundled. These will trigger network activity and additional disk writes. - Operational effects: the code will create workspace directories and can spawn local servers and background workers. Run it inside a contained environment (virtualenv, isolated VM, or container), not as an administrator/root, and inspect the backend code if you plan to expose it to the network. - Ethical/legal note: the skill advertises watermark removal for third-party services (Gemini, Seedance). That functionality may violate terms of service or copyrights; consider legal/ethical implications before using. Recommended next steps if you want to try it: 1) Inspect the files under scripts/ and references/ to confirm what will run. 2) Run in a disposable environment (container or VM). 3) Install Python deps in a virtualenv and verify presence of ffmpeg and Redis if you need worker mode. 4) Fix or review deploy.py issues (port, missing reference project path, typos) before starting services. 5) If you do not want to run services, local_processor.py provides single-machine CLI tools for many features — review and run those commands instead of starting a server.

Like a lobster shell, security has layers — review code before you run it.

latestvk974bkyxw9nx1sqdpjv06643f1843pp1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments