image-annotation-usage
Security checks across malware telemetry and agentic risk
Overview
This is an instruction-only React component usage guide; the main thing to notice is that it tells users to install an external npm package.
This skill appears safe and purpose-aligned as a documentation-only guide. Treat the npm package installation like any third-party dependency: verify that the package is the one you intend to use before adding it to your project.
VirusTotal
1/64 vendors flagged this skill as malicious, and 63/64 flagged it as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the package itself is compromised or untrusted, adding it to a web app could affect the app’s security or behavior.
The skill tells users to add an external npm package. This is purpose-aligned for a component integration guide, but installing third-party packages changes the application supply chain.
pnpm add @frank17008/image-annotation # or npm install @frank17008/image-annotation
Before installing, verify the npm package source, maintainer, version, and dependency reputation as you would for any third-party React component.