Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Gumroad Product Images" --version 1.0.0 --changelog "Initial release: cover + preview image generation for Gumroad products"
v1.0.0Generate professional product cover images (600x600) and preview/showcase images (1280x720) for Gumroad digital products. Use when creating, updating, or bat...
⭐ 1· 30·0 current·0 all-time
bycareytian@careytian-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description align with the included HTML templates and themes: the skill generates cover and preview images by rendering local HTML and taking headless browser screenshots. However the SKILL.md references external tools (Microsoft Edge at a hardcoded Windows path, and npx http-server) that are not declared in the skill metadata (required binaries). The instructions are Windows/PowerShell-centric while the skill metadata lists no OS restriction or required binaries — this mismatch should be clarified.
Instruction Scope
Instructions stay within the stated purpose (build HTML, serve locally, screenshot). They do not request credentials or network exfiltration endpoints. Concerns: they direct executing a local browser binary via absolute path and running `npx http-server` (which will fetch packages from npm if not installed). Example file paths (C:\Program Files (x86) and F:\path) are platform-specific and may cause the agent to run commands that fail or behave unexpectedly on non-Windows hosts.
Install Mechanism
There is no install spec (instruction-only), which is lowest-risk in principle. However the runtime commands call `npx http-server` — invoking npx can download/execute code from the npm registry at runtime. That dynamic fetch is a real risk if unreviewed packages are pulled. The skill does not document or pin a package source/version for the HTTP server.
Credentials
The skill requests no environment variables, no credentials, and does not reference any secrets or external APIs. This is proportionate to its purpose.
Persistence & Privilege
The skill is not always-enabled and is user-invocable. It does allow autonomous invocation (default), which is normal; combined with the limited scope and lack of sensitive access this is acceptable. Nothing indicates it modifies other skills or system-wide config.
What to consider before installing
This skill appears to do what it says (generate images from local HTML templates), but you should verify a few things before installing/using it: (1) The SKILL.md assumes Windows/PowerShell and a hardcoded Edge path — if you run a different OS, update commands or test carefully. (2) The skill does not declare required binaries: ensure Microsoft Edge (or another headless browser) is installed and reachable, and decide whether to use a stable local HTTP server instead of `npx http-server`. `npx` will fetch packages from npm at runtime — if you prefer, install http-server yourself, use a pinned package version, or use an alternative (e.g., Python's http.server). (3) Run the commands in a controlled environment (non-production VM) the first time to confirm there are no unexpected network calls or file operations. (4) If you need to run batch scripts, review and adapt the hardcoded paths (C:\..., F:\...) to your environment. If the author can update the skill metadata to list the required binaries and clarify cross-platform usage and pinned server package, that would remove most remaining concerns.Like a lobster shell, security has layers — review code before you run it.
latestvk97fn4t570s4f76k8dp14qgwqh844rws
License
MIT-0
Free to use, modify, and redistribute. No attribution required.