ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

GenArt

v2.0.0

Generate algorithmic visual art — flow fields, fractals, cellular automata, circle packing, wave patterns. SVG + PNG output.

0· 58·0 current·0 all-time
by@eliot-onbox
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, SKILL.md, and the visible portions of genart.py align: this is a Python generative-art tool producing SVG/PNG. However, the package advertises 'PNG rendering' and 'optional NumPy acceleration' while registry metadata lists no required binaries or environment and no install spec. Also package.json is present for a Node package even though the runtime is Python; these mismatches are unexpected though not necessarily malicious.
Instruction Scope
SKILL.md instructs running genart.py with CLI flags and claims deterministic, scriptable outputs. The instructions do not mention any external tools required to produce PNG output or optional acceleration. The code imports subprocess and os (visible), which suggests it may invoke external rasterizers (e.g., inkscape, rsvg-convert, ImageMagick) or perform filesystem operations — none of which are declared in SKILL.md or registry metadata. This omission is a scope/information gap that should be clarified.
Install Mechanism
There is no install specification (instruction-only skill with a bundled Python script). That is the lowest-risk install model. The presence of package.json is somewhat odd for a Python-only tool but not itself dangerous. No remote download URLs or extract operations are present in the metadata.
Credentials
The skill requests no environment variables, credentials, or config paths, which is proportionate for a local art generator. There are no declared secrets. That said, the code's use of subprocess/os means it could read or write filesystem content if implemented to do so; the current metadata does not claim such access explicitly.
Persistence & Privilege
The skill is not always-enabled and uses default invocation settings. It does not request elevated or persistent platform privileges in the metadata. Nothing in the manifest indicates it would modify other skills or global agent configuration.
What to consider before installing
The tool looks like a genuine generative-art script, but there are a few gaps you should check before installing or running it: 1) Inspect the full genart.py for any subprocess calls — search for subprocess.run/ Popen or explicit command strings; if it calls external programs to render PNGs, confirm which binaries (inkscape, rsvg-convert, ImageMagick) and that you are comfortable providing those. 2) Confirm there are no network calls or attempts to read unexpected files (home dir, SSH keys, shell history). 3) Note the SKILL.md mentions optional NumPy but the metadata lists no dependencies; if you need NumPy, install it separately from a trusted source. 4) Because source/homepage are unspecified, consider running the script in a sandboxed environment (container or VM) first, or review the entire source for unexpected behavior. If you want, I can scan the rest of genart.py (the truncated portion) for subprocess usage, file I/O, or network activity — provide the remainder and I'll review it line-by-line.

Like a lobster shell, security has layers — review code before you run it.

latestvk971bdczat6szhxqq7vwazqaas83g362

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎨 Clawdis

Comments