Mouse YOLO Factory
Security checks across malware telemetry and agentic risk
Overview
The skill mostly matches its YOLO dataset purpose, but it uses hard-coded local script paths and creates an undisclosed persistent RAG detection log outside the user-selected dataset folders.
Install only if you are comfortable reviewing or editing the paths first. Prefer running the packaged scripts by relative path, verify any YOLO model file before loading it, and decide whether the D:/aiagent/rag_database detection log should be disabled, redirected, or periodically cleared.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill could fail on most systems or, on a machine with a matching path, execute unreviewed local code instead of the packaged script.
The documented commands reference hard-coded absolute paths outside the reviewed package layout. If followed literally, the agent may run whatever file exists at that local path rather than the supplied artifact.
`python D:/aiagent/aiagent_for_Mouse_Python_code/Mouse_produce_scratch.py --input <input_dir> --output <output_dir>`
Use reviewed relative package paths or an explicit install location, and avoid running D:/aiagent/... scripts unless you have verified those files are the intended ones.
Image names and detection results can be retained outside the selected dataset folder and may later be reused as context, including stale or incorrect labels.
The inference module creates a persistent RAG database path and later appends image detection summaries to it, but SKILL.md does not disclose this separate persistent storage location or how it is controlled.
RAG_DB_PATH = Path("D:/aiagent/rag_database")
RAG_DB_PATH.mkdir(parents=True, exist_ok=True)
rag_history_file = RAG_DB_PATH / "detection_logs.jsonl"Before use, decide whether persistent RAG logging is acceptable; if not, remove or redirect this log path and add an option to disable logging.
Using the wrong input or database path could duplicate many files or mix datasets unintentionally.
Dataset merging copies images and labels into a new version directory under a user-provided YOLO database path. This is expected for the stated purpose, but it can create or expand local datasets.
shutil.copy2(src_img_path, os.path.join(dst_root, split, "images", f"{new_name}{ext}"))Confirm the new_data and yolo_db paths before running merges, and keep backups of important datasets.
Loading an untrusted model file could expose the local environment to unsafe model-loading behavior.
The script loads a user-supplied YOLO model file. This is core to the skill, but model files such as .pt should be treated as executable/trusted artifacts in many ML toolchains.
model = YOLO(args.model_path)
Only use YOLO model files from trusted sources and avoid arbitrary downloaded .pt files.