ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Json Parser

v2.1.0

Parse and validate JSON data from construction APIs, IoT sensors, and BIM exports. Transform nested JSON to flat DataFrames.

0· 1.4k·5 current·5 all-time
by@datadrivenconstruction
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name and description match the behavior in SKILL.md: parsing, validation, flattening, and conversion to DataFrames for construction/BIM/IoT JSON. Requesting python3 and filesystem access is reasonable for this task.
Instruction Scope
SKILL.md contains concrete Python code that reads files (parse_file) and expects user-provided file paths. Instructions.md explicitly tells the agent to gather input and process user-supplied files. This is within scope, but the claw.json 'filesystem' permission means the skill can access the agent filesystem—ensure policy/host limits prevent arbitrary file reads and that the agent only processes files the user authorizes.
Install Mechanism
This is an instruction-only skill (no install spec), so nothing is written to disk by the skill system. However, the provided Python code depends on pandas (imported as pd) but pandas is not declared in the skill requirements; ensure the runtime environment has pandas installed or the agent will fail when executing the code.
Credentials
The skill requests no environment variables or credentials. That is proportionate to its stated purpose. No unrelated secrets are requested.
Persistence & Privilege
always:false and normal autonomous invocation defaults are used. The skill does not request persistent or elevated privileges beyond filesystem access. Note: OS restriction is 'win32' but required binary is 'python3' which may not match common Windows python executables ('python'); this could cause runtime failures but is not a security issue by itself.
Assessment
This skill appears to do what it says (parse and flatten construction JSON), but before installing or running it: - Ensure the agent environment has Python and pandas available (the SKILL.md imports pandas but the skill doesn't declare that dependency). - Confirm the agent's filesystem permissions/restrictions: the skill will read files you provide, but a broad 'filesystem' permission could allow wider access—only provide explicit file paths and avoid giving system or credential files. - Note the win32 OS restriction and the required binary 'python3' may not match Windows setups (you may need to map/alias 'python3' to your Python interpreter). - There is a minor metadata/version mismatch in the manifest files (claw.json lists version 2.0.0 while registry shows 2.1.0); this is likely benign but worth verifying the source. If you need higher assurance, request a signed release or a package that declares/install dependencies (pandas) and a clear provenance for the homepage/source code.

Like a lobster shell, security has layers — review code before you run it.

latestvk976s7n53yq2j50ad94n30xqhh817p51

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🏷️ Clawdis
OSWindows
Binspython3

Comments