ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Fashion Colorize Shell

v1.0.0

Convert apparel sketches into ecommerce-ready colorized shell-jacket renders. Use when users provide garment line art and ask for realistic colorized outputs...

0· 369·0 current·0 all-time
by@bananooo-zhang
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description, SKILL.md, and the included script all implement a sketch->product-render workflow. The only external requirement is a single API key (GEMINI_API_KEY) which is consistent with calling a remote image-generation API. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
Runtime instructions are scoped to: take a sketch and brief, run the local script, and return generated file paths. The script reads only the provided sketch/style images and writes outputs. However, the script sends the sketch image(s) and the textual brief to a fixed external endpoint (https://models.kapon.cloud) for generation, so user images and prompts will be transmitted off-host. SKILL.md does not explicitly warn users that their images will be uploaded.
Install Mechanism
There is no install spec (instruction-only with an included Python script). The script documents dependencies (google-genai, pillow) but does not auto-install anything. This is lower risk than arbitrary downloads. Users will need to install the listed Python packages from public registries.
Credentials
Only GEMINI_API_KEY is required, which matches the declared 'primary credential' behavior. No other secrets or unrelated environment variables are requested. The single key is proportional to invoking a remote model API.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system settings, and does not persist credentials or change agent config. It runs on demand and only uses the provided GEMINI_API_KEY at runtime.
Assessment
This skill appears to do what it says, but it sends your sketches and briefs to an external service at models.kapon.cloud. Before using it: (1) Verify you trust that endpoint and understand its privacy/retention and billing terms; the GEMINI_API_KEY you provide will authorize that service. (2) Do not upload sensitive or proprietary designs until you’ve confirmed data handling. (3) Consider testing with non-sensitive dummy images first to confirm behavior. (4) Install dependencies (google-genai, pillow) in an isolated virtual environment and inspect those packages if you have concerns. (5) If you prefer an official provider, modify the script to point to a vendor endpoint you control or host. If you want, I can list exact lines where images/prompt are sent so you can review them before running.

Like a lobster shell, security has layers — review code before you run it.

latestvk9749r1cw7738wadtpfd7ynht5824381

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments