ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

zenTable

v0.9.2

Render structured table data as high-quality PNG images using Headless Chrome. Use when: need to visualize tabular data for chat interfaces, reports, or soci...

1· 435·0 current·0 all-time
by@con2000us
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the requested binaries (python3 + google-chrome) and the stated rendering approach. However, the skill references local scripts (skills/zentable/table_renderer.py, scripts/zentable_render.py) and a pinned GitHub release as the runnable source, but no runtime code is included in this package. That mismatch (docs expect code that isn't present) is a coherence issue: the installed skill cannot perform the described work without downloading and running external assets.
!
Instruction Scope
SKILL.md allows exec/read/write and gives explicit command examples that run local Python renderers and mentions OCR-assisted extraction and a Zx shorthand that instructs the agent to 'execute rendering directly by default (no preliminary Q&A)'. Those instructions grant the agent discretion to run local binaries and operate on message images and prior context. Because the actual renderer and OCR backends are not bundled, following these instructions would require fetching and running external code and/or contacting local services — a scope expansion not explicitly declared in the skill's manifest.
Install Mechanism
There is no install spec in the skill bundle (instruction-only), which is lower risk in isolation. But INSTALL.md explicitly instructs users/agents to download a pinned GitHub release and run scripts from it. The absence of an automated/verified install mechanism in the package plus instructions to fetch and execute release assets is a potential operational risk and a point of inconsistency.
Credentials
The skill declares no required environment variables or credentials (appropriate for a renderer). However DEPLOYMENT.md documents .env variables and local OCR backend options for a deploy scenario; those variables are not required by the skill manifest. This is mismatched documentation but not direct credential overreach in the packaged skill.
Persistence & Privilege
The skill does not request always:true and does not declare any system-wide configuration changes. Autonomous invocation is allowed by the platform default; the real issue is the Zx shorthand in the instructions that encourages immediate execution without user confirmation — this is an instruction-level behavior to be mindful of but not a declared persistence/privilege escalation in the manifest.
What to consider before installing
This package is primarily documentation: it describes Python + Headless Chrome renderers and an OCR service, but it does NOT include the runnable code the docs reference. Before using/installing: 1) review the pinned GitHub release (https://github.com/con2000us/zenTable/releases/tag/skillhub-zentable-beta-2026-03-01) and inspect the exact scripts (skills/zentable/table_renderer.py, scripts/zentable_render.py) that would be executed; 2) do not grant broad exec/read/write privileges to an agent unless you trust the fetched code — prefer manual download and review; 3) run the renderer and any OCR services in an isolated container or VM for initial testing; 4) be cautious of the Zx shorthand which instructs the agent to auto-run rendering without answering follow-up questions — if you install, consider restricting the skill's ability to exec or require explicit user confirmation; 5) verify any local network endpoints (OCR/CSS APIs) before allowing the agent to call them. If you cannot or will not review the referenced release artifacts, avoid enabling exec access or decline to install.

Like a lobster shell, security has layers — review code before you run it.

betavk972f4z4pbkts2wn6crq3nbbch823neblatestvk975wdb2shh6k6c08hcpra34e98241phocrvk972f4z4pbkts2wn6crq3nbbch823nebrenderingvk972f4z4pbkts2wn6crq3nbbch823nebtablevk972f4z4pbkts2wn6crq3nbbch823nebworkflowvk972f4z4pbkts2wn6crq3nbbch823neb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📊 Clawdis
Binspython3, google-chrome

Comments