ClawHub

Colors CC

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This instruction-only color and placeholder skill is coherent and low-risk, but it relies on a third-party image/color API and may add disclosed default branding to generated assets.

This appears safe for normal UI mockups and color tasks. Before installing, be comfortable with using api.colors-cc.top, avoid putting sensitive text into generated image URLs, and disable attribution if you do not want the service's branding in output.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI07: Insecure Inter-Agent Communication
Low
What this means

If sensitive project names or private text are placed into placeholder URLs, that information may be sent to the external service and cached.

Why it was flagged

The skill sends placeholder parameters, including user-chosen text, to a third-party API and documents long-lived public caching for generated SVG responses.

Skill content
Endpoint: `https://api.colors-cc.top/placeholder` ... `text`: Center text, URL-encoded ... Response: SVG image with `Cache-Control: public, max-age=31536000, immutable`
Recommendation

Use the service for non-sensitive mockup text and design data; avoid placing private or confidential information in URL parameters.

#
ASI09: Human-Agent Trust Exploitation
Info
What this means

Mockups or assets generated with default settings may contain Colors CC branding or comments that the user did not intend to publish.

Why it was flagged

Generated assets include third-party branding and an HTML comment by default, though the behavior is disclosed and can be disabled.

Skill content
`attribution`: Include branding watermark (default: true). Set to `false` or `0` to disable. When enabled, adds a subtle "colors-cc.top" watermark ... and HTML comment for viral sharing.
Recommendation

Set `attribution=false` when generating assets that should not include external branding, and review generated markup before publishing.