Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
pollinations-sketch-note
v0.0.1Generates AI-powered hand-drawn style sketch notes by auto-searching and summarizing topics from Wikipedia and Baidu Baike in three artistic styles.
⭐ 0· 300·0 current·0 all-time
bykyle@east5ringroad-kyle
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Functionality (auto-search from Wikipedia/Baidu via Jina reader/Tavily, summarize, call Pollinations image API, composite with Pillow) matches the README/SKILL.md and the declared env vars (POLLINATIONS_API_KEY, TAVILY_API_KEY). However, metadata inconsistencies exist: skill.yaml/package.json list required binaries including 'curl' while the Python script uses the requests library and does not call curl. Also package/manifest mention system deps that are unnecessary for the shown code.
Instruction Scope
Runtime instructions are limited to running the bundled Python script and setting two environment variables. The script only reads POLLINATIONS_API_KEY and TAVILY_API_KEY and makes network calls to expected endpoints (r.jina.ai for fetched page text and gen.pollinations.ai for image generation). Concern: DEFAULT_OUTPUT_DIR is hardcoded to /Users/pengshengkai/.openclaw/media (a specific user home path) which is unexpected and could lead to files being written to an unexpected absolute path.
Install Mechanism
No install spec is present (instruction-only with bundled script). Nothing in the package downloads arbitrary external executables on install; risks are limited to running the provided Python script.
Credentials
Only two API keys (POLLINATIONS_API_KEY and TAVILY_API_KEY) are requested, which is proportional to the described functionality (image generation and search). No unrelated credentials or broad environment access are requested.
Persistence & Privilege
Skill is not always-on and does not request elevated or persistent platform privileges. The code does not modify other skill configs or system-wide settings. Autonomous invocation is enabled (platform default) but not combined with other high-risk factors.
What to consider before installing
What to check before installing:
- Inspect and edit DEFAULT_OUTPUT_DIR in scripts/generate.py: it is set to /Users/pengshengkai/.openclaw/media (a hardcoded username). Change it to a safe location (e.g., Path.home()/'.openclaw/media' or a configurable path) to avoid files being written to an unexpected absolute path.
- Confirm you trust the Pollinations and Tavily API endpoints and that your API keys are from trusted accounts. The script sends your Pollinations key as a request parameter to https://gen.pollinations.ai/image/{prompt} and fetches page content via https://r.jina.ai/..., so expect outgoing network traffic to those hosts.
- The package manifests mention 'curl' and other system dependencies, but the script uses Python requests; this is probably harmless but inconsistent—no installer will pull extra binaries automatically, but the docs mention installing requests and pillow.
- Run the script in an isolated environment (virtualenv/container) and with dummy or scoped API keys first if possible, to observe behavior.
- If you intend to allow the skill to run autonomously, be mindful that it will make outbound HTTP requests whenever invoked; consider network monitoring or restricting keys to minimal scopes.
- If anything feels unexpected (unknown endpoints, unexplained file writes), don't provide real API keys until you are satisfied with changes and testing.Like a lobster shell, security has layers — review code before you run it.
latestvk97e3whsfebvyb06kq23mnt6th82pzm6pollinationsvk97e3whsfebvyb06kq23mnt6th82pzm6
License
MIT-0
Free to use, modify, and redistribute. No attribution required.