Skillv1.0.0

ClawScan security

颜色选择器 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

SuspiciousApr 29, 2026, 4:26 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The README/prompts advertise many color tools (palette, gradient, multiple conversions) but the shipped script only supports a single hex→RGB/H(S)V conversion and mislabels HSV as HSL — the description, usage examples, and implementation do not align.
Guidance: This skill appears misleading rather than malicious: it claims multiple color utilities but the code only handles a single hex input and returns RGB/HSV (and even labels HSV as HSL). Before installing or using it: 1) ask the publisher to provide corrected source that implements the advertised commands (or update SKILL.md to match the script); 2) inspect/run the script locally in a safe environment to verify behavior (e.g., try the sample commands and see actual output); 3) if you need the advertised features (palette/gradient/rgb↔hsl), request a full implementation or use a different tool. There are no network calls or credential requests, so the risk is primarily functional inconsistency and potential developer error rather than data exfiltration.

Purpose & Capability: concernSKILL.md promises format conversions (HEX/RGB/HSL/HSV), palette generation, and gradients. The included script only accepts a color string (hex), converts hex→rgb and computes HSV, and returns results; there is no implementation for rgb2hsl, rgb2hsv as separate commands, no palette or gradient generation. This is a substantive mismatch between claimed features and delivered capability.
Instruction Scope: concernSKILL.md shows CLI usage like 'hex2rgb', 'rgb2hsl', 'palette', and 'gradient'. The script ignores such command verbs and simply reads sys.argv[1] as a color string; it only recognizes a 6-hex format. The instructions therefore direct the agent/user to run commands that the code does not implement.
Install Mechanism: okNo install spec and only a small Python script using the standard library — nothing is downloaded or written to disk outside the included files. This is low-risk from an install perspective.
Credentials: okNo environment variables, credentials, or config paths requested. The skill does not attempt to access external services or secrets.
Persistence & Privilege: okalways is false and the skill does not request persistent or elevated privileges. Autonomous invocation is allowed by platform default but is not combined with other high-risk indicators here.