ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Mindmap Generator Pro

v1.0.0

Mindmap Generator - Auto-activating skill for Visual Content. Triggers on: mindmap generator, mindmap generator Part of the Visual Content skill category.

0· 52·0 current·0 all-time
by@bingze00000
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md describes a straightforward mindmap/visual-content helper and does not require external credentials. However _meta.json lists a requirement of ["openai"] and the two files disagree on author/ownership details — this mismatch suggests the package metadata may have been copied or modified and could hide additional capabilities not documented in SKILL.md.
Instruction Scope
The runtime instructions are high-level and do not instruct the agent to read files, call external endpoints, or access credentials. That is consistent with a benign instruction-only skill. However the skill's allowed-tools includes Bash, Read, Write, Edit, Grep which would permit filesystem and shell operations if the agent chose to use them; SKILL.md does not justify needing those tools.
Install Mechanism
No install spec and no code files are included (instruction-only), which minimizes the risk from arbitrary downloads or on-disk executables.
!
Credentials
Registry summary showed no required env vars, but _meta.json declares a dependency on 'openai' (implying an API key). SKILL.md does not mention needing an OpenAI key or other secrets. Requesting an API key would be reasonable for some implementations, but the lack of a declared primary credential or guidance in SKILL.md is inconsistent and unexplained.
Persistence & Privilege
The skill is not always-enabled and is user-invocable (normal). It allows autonomous invocation (default) — acceptable by platform norms — but combined with the broad allowed-tools (shell and file access) this increases blast radius if hidden or inconsistent behavior exists.
What to consider before installing
The SKILL.md itself is simple and appears coherent for a mindmap helper, but the package metadata (_meta.json) contradicts it: different author, a declared 'openai' requirement, and paid/pricing fields. Before installing, ask the publisher to explain the OpenAI dependency and why metadata differs from SKILL.md. Avoid granting shell/file access or secrets until the discrepancy is resolved. If you do test it, run in a restricted environment (no sensitive env vars, no production secrets) and monitor for unexpected network calls or filesystem activity.

Like a lobster shell, security has layers — review code before you run it.

latestvk97aw6m6at1sgqyr6n0030ma7s844c6g

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments