Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Crane Hook Annotation
v1.0.0Detect and tightly annotate tower-crane hook outlines in similar construction-site monitoring images. Use when Codex needs to batch-process `.png`, `.jpg`, o...
⭐ 0· 52·0 current·0 all-time
by@genlk
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The name, description, profile JSON, and tuning docs all align with a crane-hook annotation tool — that part is coherent. However, the SKILL.md requires running scripts/annotate-crane-hooks.ps1 (and the Quick Start references a .\skills\crane-hook-annotation\scripts\annotate-crane-hooks.ps1 path) but no such script is present in the file manifest. A skill that claims to perform local image processing but omits its core executable is an integrity/incompleteness problem.
Instruction Scope
The instructions are narrowly scoped to local image annotation and profile tuning (no unexpected exfiltration endpoints or unrelated system access). However, they direct the user to run a PowerShell script with -ExecutionPolicy Bypass — a flag that disables script execution restrictions and should only be used for trusted scripts. Because the referenced script is absent, the instructions currently ask the user to obtain/execute code that isn't supplied, which increases risk.
Install Mechanism
There is no install spec and no binaries requested — the skill is instruction-only and doesn't automatically write or download code. That lowers the packaging-installation risk. The risk instead arises from the missing script the instructions expect.
Credentials
The skill requests no environment variables, credentials, or config paths — this is proportionate for an offline image-annotation tool. There is no indication of unrelated credential access.
Persistence & Privilege
always is false and the skill does not request persistent system privileges. agents/openai.yaml sets allow_implicit_invocation: true, so the agent could implicitly invoke this skill when eligible; that is a normal setting but worth noting if the skill later gains network/exfiltration behavior. By itself this is not a strong red flag.
What to consider before installing
Do not run unknown PowerShell scripts you can't inspect. Before installing or using this skill: (1) confirm the missing script (scripts/annotate-crane-hooks.ps1) is provided by a trusted source and inspect its contents for network calls, data uploads, or commands that modify the system; (2) avoid using -ExecutionPolicy Bypass unless you fully trust the script; (3) request the author/source homepage or repository to verify provenance — the skill currently lists source as unknown; (4) if you must test, run the script only on non-sensitive sample images in an isolated environment (or sandbox/VM) and search the script for any outbound network operations or calls to curl/powershell Invoke-WebRequest/Invoke-RestMethod; (5) prefer packages that include their executables or are published by a verifiable maintainer. The core coherence issue (missing script) should be resolved before trusting this skill.Like a lobster shell, security has layers — review code before you run it.
construction-monitoringvk973rrvn5tr54aevcztssb1e8183hjmximage-annotationvk973rrvn5tr54aevcztssb1e8183hjmxlatestvk973rrvn5tr54aevcztssb1e8183hjmx
License
MIT-0
Free to use, modify, and redistribute. No attribution required.