ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Skill Graphify

v1.0.0

Turn any folder of code, docs, papers, or images into a queryable knowledge graph. Cross-platform wrapper for graphify CLI.

0· 157·0 current·0 all-time
byFlo@flobo3
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, README, SKILL.md, and the wrapper code all align: the script installs/uses a 'graphify' package and runs detect→extract→build→report on a target folder. The requested operations (reading files in the target folder, writing output under <target>/graphify-out/) match the stated purpose.
Instruction Scope
SKILL.md instructs the agent to run the bundled Python wrapper to install and run graphify. Runtime instructions and the code operate only on the provided target path and the created output directory; they do not attempt to read system-wide config, credentials, or unrelated paths. The skill will read files inside the target folder and write outputs and cache files there (expected behavior).
!
Install Mechanism
There is no registry install spec in the skill metadata, but the wrapper (and SKILL.md) call 'pip install graphifyy' at runtime. Installing an arbitrary PyPI package executes untrusted code (install-time scripts, imports) and the package/author provenance is not provided (homepage/source unknown). This is a moderate-to-high supply-chain risk compared with a vetted release or a pinned URL to a trustworthy repo.
Credentials
The skill declares no required environment variables, no credentials, and the code does not read environment secrets. It only interacts with the filesystem under the target path and runs local Python/pip — access requested is proportionate to the stated functionality.
Persistence & Privilege
The skill is not always-enabled, does not modify other skills or global agent config, and only writes outputs/caches under the project's graphify-out directory. It does not request elevated/system privileges.
What to consider before installing
The wrapper/script is coherent with its stated purpose, but it will attempt to install the PyPI package 'graphifyy' at runtime. Before installing or running this skill: 1) verify the 'graphifyy' package on PyPI (owner, versions, release history) and inspect its source repository for malicious or surprising behavior; 2) prefer running the wrapper in an isolated environment (VM, container, or virtualenv) so install-time code can't affect your system; 3) consider manually installing a vetted version of the graphify package (or using a pinned version) rather than letting the wrapper run pip automatically; 4) if you cannot confirm the package provenance, do not run ensure-installed or build on sensitive directories (run it on a disposable copy of data first). If you want, I can help look up the 'graphifyy' package, its PyPI page, or search for a source repository to validate provenance.

Like a lobster shell, security has layers — review code before you run it.

latestvk976xpgckapx3y8snbn9yyvzxd84j5th

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments