ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Activity Campaign from UI

v0.3.2

Generate a new H5/Web campaign proposal and page architecture from UI references, then output a high-fidelity HTML/CSS/JS front-end draft on a fixed stack.

0· 134·0 current·0 all-time
byGabriel@bigin58
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (generate campaign proposals and H5/Web HTML/CSS/JS drafts) align with the SKILL.md and examples. The skill requests no unrelated binaries, environment variables, or credentials. The fixed stack (HTML/CSS/JS) and file outputs match the documented purpose.
Instruction Scope
SKILL.md instructs the agent to analyze screenshots, transform references into new campaigns, produce architecture and/or front-end files, and—when available—call host image-generation tooling (e.g., an exposed image_generate) or use Python to write local files if the host supports execution. These behaviors are coherent with the stated delivery/’full’/’delivery’ modes, but they do give the skill runtime authority to: (1) process user-supplied screenshots (which may contain sensitive data), (2) call host-provided image-generation tools, and (3) write local files when explicitly permitted by the host. Also notable: the skill includes strong defaults about generating female-led hero images and a regeneration policy—these are design choices, not security issues, but they may be surprising to some users.
Install Mechanism
No install spec or packaged code is included; the skill is instruction-only. That minimizes disk-write and supply-chain risk.
Credentials
The skill requires no environment variables, no credentials, and no config paths. All declared requirements are proportional to its purpose.
Persistence & Privilege
The skill is not marked always:true and does not request persistent system-wide privileges. Its rules allow writing local artifacts only when the host explicitly supports local execution and the user requests it—this is reasonable for a delivery-focused skill.
Assessment
This skill appears internally consistent and coherent with its stated purpose. Before installing or invoking it, consider: (1) it will ask you to upload screenshots or design images—do not upload images containing passwords, private user data, or other sensitive information; (2) for poster-led outputs it prefers to generate a hero image (./image/bg.png) and will attempt to call any exposed host image-generation tool—confirm whether your host exposes such a tool and whether you consent to automatic image generation; (3) it may write local files via Python only when you explicitly request local output and the host allows execution—confirm the environment's file-write policy; (4) the skill has strong visual defaults (female-led hero, regenerate_each_run) and an anti-copy rule—if you need different defaults, specify them in your brief. If you need stricter privacy or want to avoid image generation/local writes, ask the model for a text-only 'analysis' or 'proposal' mode or explicitly request placeholder-only delivery.

Like a lobster shell, security has layers — review code before you run it.

latestvk97evw54417pgdrb5qgvs95xan84d61k

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments