Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
English Practice
v1.0.0Generate customized English practice booklets with diverse question types for grades 3-9 using varied difficulty and content versions, exportable as PDFs.
⭐ 0· 52·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name and description align with the SKILL.md: it is an English-practice booklet generator with question bank, assembly, deduplication, and PDF export. The declared requirements (no env vars, no binaries) are not immediately incompatible with that purpose.
Instruction Scope
The runtime instructions describe reading/writing a persistent question bank (question_bank_v2.json), using scripts (question_gen.py, paper_assembler.py, pdf_gen.py), maintaining a 7-day usage history, and invoking LLM/API generation. However, none of those code files or data files are included or referenced in an install step — the agent will need to create or access local files and maintain history, which expands its scope. The SKILL.md does not explicitly tell the agent to access system-wide sensitive paths, but it leaves broad discretion about file I/O and external API usage.
Install Mechanism
There is no install spec and no code files — this lowers installation risk (nothing is downloaded or written by the skill itself). However, because the instructions expect local scripts/data, the environment must supply them; the absence of an install plan makes behavior ambiguous.
Credentials
The skill declares no required environment variables or credentials, but the SKILL.md explicitly mentions 'LLM/API' generation and PDF export (which commonly require libraries or external services). The lack of declared credentials/endpoints is a mismatch: either the skill expects only local model invocation (no keys) or the instructions omit required secrets. Confirm whether external APIs or third-party services are needed and which credentials would be required.
Persistence & Privilege
always:false and user-invocable:true (normal). The skill expects persistent storage (question_bank_v2.json, usage history) and will read/write exam content and usage logs; this is expected for its functionality but has privacy implications (student data, question provenance). It does not request system-wide configuration changes or other skills' credentials.
What to consider before installing
Before installing: 1) Note the skill is instruction-only but references local files and Python scripts that are not included — ask the publisher for the code, install steps, and where files should live. 2) Confirm whether an external LLM/API or PDF service is required; if so, require explicit documentation of which endpoints and what credentials will be needed. 3) Decide where question_bank_v2.json and usage logs will be stored and who can read them — these may contain student data. 4) Run the skill in an isolated sandbox or review its code before granting file-system access; if you must allow it to write files, restrict it to a dedicated directory. 5) If you cannot verify the source (owner is anonymous/unknown), treat the missing artifacts and ambiguous external-service requirements as a red flag and request a signed manifest or source repository before use.Like a lobster shell, security has layers — review code before you run it.
latestvk9708ktcwnbbek9vsrdx39mc9d84qmzk
License
MIT-0
Free to use, modify, and redistribute. No attribution required.