Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Mouse YOLO Factory
v1.0.0Generate simulated scratch defects, run YOLO model inference with auto-labeling, and merge mouse product defect image datasets with version control.
⭐ 0· 128·0 current·0 all-time
by@dwysbd
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The code files implement scratch generation, YOLO inference (auto-labeling), and dataset merging, which aligns with the skill description. However the SKILL.md uses absolute Windows paths (D:/aiagent/aiagent_for_Mouse_Python_code/...) and the code itself creates a hard-coded RAG DB directory at D:/aiagent/rag_database — these hard-coded paths are not declared in metadata and may not match where the skill will be run.
Instruction Scope
SKILL.md instructs running scripts via absolute paths on D:, implying the agent or user should store/execute code there; the runtime code writes detection logs (JSONL) to a hard-coded local RAG path and writes/creates dataset folders and labels. While this is expected for dataset tooling, the instructions give no warning about these file writes and assume a Windows D: layout — this is scope creep relative to a simple 'run model' description and could overwrite or create files in unexpected locations.
Install Mechanism
There is no install spec (instruction-only + code files bundled). However the Python code depends on heavy native libraries (ultralytics, torch, torchvision, cv2/opencv, numpy, pandas) which are not declared. Users may attempt to run the scripts without these dependencies; installing them can be non-trivial and may require compiling native code. Absence of dependency declarations is an operational risk but not necessarily malicious.
Credentials
The skill requests no environment variables or credentials (which is good), but it writes logs to and creates directories under a hard-coded path (D:/aiagent/rag_database) and uses file-system locations for datasets. The skill does not declare these required config paths in metadata. There's no network exfiltration code, but local log files may include detection summaries — review these if they may contain sensitive image identifiers.
Persistence & Privilege
The skill does not request 'always: true' and does not modify other skills or global agent configuration. Its persistence is limited to creating directories and writing files (datasets, labels, and a local RAG JSONL log) within the file system; this is expected for dataset tooling.
What to consider before installing
What to check before installing or running:
- The code implements the stated features, but the SKILL.md commands and some internal paths are hard-coded to D:/... — make sure you understand and relocate those paths to directories you control before running.
- The scripts expect heavy Python dependencies (torch, ultralytics, torchvision, opencv, pandas, numpy). The skill metadata does not declare these — install them in a controlled environment (preferably a virtualenv or container).
- The inference script writes detection logs to D:/aiagent/rag_database/detection_logs.jsonl and writes output images/labels into dataset folders. Inspect the logs if they may contain sensitive filenames or metadata.
- Run the code first in an isolated environment (container or VM) and review/modify the hard-coded paths and any file-write locations. Search the code for any other absolute paths before trusting it with production data.
- If you need tighter guarantees, ask the publisher to: remove hard-coded paths, declare required dependencies, and document exactly what files will be created/modified and where.
- Confidence is medium: nothing in the code indicates network exfiltration or obfuscated/malicious behavior, but the path assumptions and missing dependency declarations are implementation issues that could lead to accidental data exposure or file overwrites.Like a lobster shell, security has layers — review code before you run it.
latestvk9766ft3016az9fjnn33a26xh1834xhc
License
MIT-0
Free to use, modify, and redistribute. No attribution required.