ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Osop Report

v1.2.0

Convert .osop and .osoplog.yaml into standalone HTML report with dark mode and expandable nodes

0· 36·1 current·1 all-time
by@archie0125
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, required binaries (python3/python), install dependency (PyYAML), and the included Python script all align with converting .osop/.osoplog.yaml to an HTML report. However, the registry metadata declares a required config path (~/.osop/config.yaml) even though neither SKILL.md nor the visible code references or reads that file; this is an unexplained mismatch.
Instruction Scope
SKILL.md limits actions to locating the provided .osop/.osoplog.yaml (or recent files in a sessions/ directory), parsing them, generating a standalone HTML, saving it next to the source, and reporting the path. The instructions do not ask for unrelated files, environment variables, or network endpoints. The only minor scope note: fallback behavior to look in a sessions/ directory can cause the skill to read local files beyond a single explicit argument, which is reasonable for the purpose but worth noting.
Install Mechanism
Install specifies a single package (pyyaml) via 'uv' which is a simple Python dependency consistent with the script's import of yaml. PyYAML is a standard, traceable package; nothing in the install spec indicates downloading arbitrary code from unknown hosts.
!
Credentials
The skill requests no environment variables, which fits the purpose. But it declares a required config path (~/.osop/config.yaml) in metadata without any justification in SKILL.md or the inspected code; no env secrets or tokens are requested. The declared config path is disproportionate unless the skill actually reads that config (not seen in the provided code).
Persistence & Privilege
always is false and the skill is user-invocable; it does not request persistent/automatic inclusion or system-wide changes. There is no sign it modifies other skills or agent configuration.
What to consider before installing
This skill appears to do what it claims: parse .osop and optional .osoplog.yaml files and emit a standalone HTML report using Python + PyYAML. The main inconsistency is that the registry metadata lists ~/.osop/config.yaml as a required config path even though neither the SKILL.md nor the visible code reads that file. Before installing or running: 1) Ask the publisher why ~/.osop/config.yaml is declared or remove that requirement if not needed. 2) Inspect the full osop-report.py (the provided portion looks benign: no network, subprocess, or secret-access calls). 3) Run the script on sample files in an isolated environment (or review the remainder of the source) to confirm it only reads the specified .osop/.osoplog.yaml and writes the -report.html file. 4) If you are concerned about privacy, run it locally (no network) — the code shown uses only standard libs + PyYAML. If the publisher cannot justify the declared config path or if additional files in the package reference external endpoints, treat the skill as risky and avoid installing it.

Like a lobster shell, security has layers — review code before you run it.

latestvk979tdwgb3476zwrqy09neyktd841g32

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Any binpython3, python
Config~/.osop/config.yaml

Install

uvuv tool install pyyaml

Comments