Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
微信小程序 TabBar 图标生成
v1.0.0微信小程序底部 TabBar 图标生成技能。用 Python PIL 生成简约几何风格的 tab 图标 (未选中灰色 + 选中绿色),并自动写入 app.json 的 tabBar 配置。 当用户说"生成 tabBar 图标"、"底部菜单栏图标"、"tab 图标"时使用本技能。
⭐ 0· 19·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's declared purpose (generate WeChat mini-program TabBar icons and update app.json) matches the SKILL.md instructions. However the metadata (registry 'requires' / required binaries) does not declare the actual runtime dependency: SKILL.md requires Python 3 and Pillow (pip install pillow). This mismatch is an incoherence in declared vs actual needs.
Instruction Scope
Instructions are narrowly scoped to the stated task: read app.json, infer icon types from tab text/pagePath, draw two 81×81 PNGs per tab into the project's images/ directory, and update app.json to add iconPath/selectedIconPath. No network endpoints or external exfiltration are referenced. Important caution: the skill will modify project files (app.json and write images/) and may overwrite existing iconPath fields without explicit user confirmation unless the implementation prompts the user as described.
Install Mechanism
There is no install spec (instruction-only), which is low risk in general — but the SKILL.md requires a specific runtime (Python 3 + Pillow). The absence of declared required binaries / install steps in the registry metadata is an inconsistency: users may be surprised when the skill fails or prompts them to install packages. The skill itself does not include an automated installer, so installing Pillow would be a manual precondition.
Credentials
The skill requests no credentials, environment variables, or config paths beyond the project's app.json and images/ directory. The level of access (local project files) is proportionate to the stated functionality.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. Autonomous invocation is allowed (platform default) but not combined here with other red flags. The primary privilege is local filesystem modification within the mini-program project — expected for this purpose.
What to consider before installing
This skill appears to do what it says (generate 81×81 PNG tab icons and update app.json), but note two practical risks: (1) SKILL.md requires Python 3 and the Pillow library, yet the package/registry metadata does not list these runtime dependencies — install Pillow yourself (pip install pillow) before use; (2) the skill will read and modify your project's app.json and write files to images/, which can overwrite existing icon settings. Before running: commit or back up your project (git commit or copy app.json and images/), review the mapping it proposes for each tab (it says it will confirm unknown matches), and verify selectedColor handling. If you do not want files changed automatically, run the drawing code locally (from the provided reference functions) or ask the skill to only produce files without modifying app.json. If the publisher provides an installer or updated metadata declaring Python/Pillow, the inconsistency would be resolved; absent that, treat the missing dependency declaration and automatic file modifications as reasons for caution.Like a lobster shell, security has layers — review code before you run it.
latestvk978aq2fjwdghwyrtdtrkwp79h84r3rc
License
MIT-0
Free to use, modify, and redistribute. No attribution required.