ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Knowledge card creator, your memory helper

v1.6.3

Knowledge Card generator. Extracts key knowledge from user-provided material (text, files, URLs), determines optimal card type (concept/备忘/流程/对比), applies co...

0· 98·0 current·0 all-time
byJay@goog
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (knowledge-card generator) matches the included code (a Markdown→HTML→PNG renderer) and templates. However, the SKILL.md expects runtime helpers (a 'web_fetch' tool, OCR via 'paddleocr', and LLM visual analysis) and a headless browser — none of these are declared in the skill's metadata as required binaries or env vars. That mismatch is explainable (optional runtime tools), but it's a discrepancy you should be aware of.
Instruction Scope
Instructions legitimately ask to accept text/file/URL/image, fetch URLs (via web_fetch), read files, and OCR images. Those actions fit the stated purpose. Two scope items to flag: (1) the agent is instructed to read arbitrary file paths provided by the user and save outputs to ~/.openclaw/workspace/kcards/ by default (normal for a creator tool but means it will write to your home dir); (2) SKILL.md references external tools (web_fetch, paddleocr, LLM visual analysis) and environment variables (implicitly for browser paths) that are not declared in requires.env — so the agent may attempt to access tools/env the platform does not advertise.
Install Mechanism
There is no install spec (instruction-only), which lowers risk. The included render_card.py lists Python dependencies (markdown, html2image, pillow, optional Pygments) but the skill doesn't provide an install step. The renderer requires a headless Chrome/Edge executable (searches common paths and CHROME_PATH/EDGE_PATH env vars). Missing an explicit install step for Python packages and browser tooling is a usability risk and should be documented before use, but not inherently malicious.
Credentials
The registry metadata declares no required environment variables or credentials (good). The renderer will read CHROME_PATH/EDGE_PATH if present and may trigger network requests (e.g., Google Fonts via CSS import). The skill does not request secrets, but it will read/write files under the user's home directory and could read arbitrary files supplied by the user — confirm you only pass content you intend to share. Overall no excessive credential requests, but implicit env access and network fetches should be acknowledged.
Persistence & Privilege
The skill is not force-installed (always:false) and does not declare modifications to other skills or system-wide settings. It writes output files to a workspace directory and runs a renderer script — expected for this functionality and not a privilege escalation concern by itself.
What to consider before installing
This skill appears to do what it claims (extract knowledge and render card images), but there are a few practical mismatches you should consider before installing: - Runtime tools: SKILL.md expects web_fetch, paddleocr (OCR), and an LLM visual analysis helper, but those tools are not declared. Verify your agent environment provides them or the skill will fail. - Python & browser deps: render_card.py requires Python packages (markdown, html2image, pillow, optionally Pygments) and a headless Chrome/Edge binary. The script looks for CHROME_PATH / EDGE_PATH or common install locations. Install these dependencies beforehand and ensure the renderer works in your environment. - File & network access: The skill will read files you point it to and save files under ~/.openclaw/workspace/kcards/ by default; it will also cause the headless browser to fetch external resources (e.g., Google Fonts). Do not pass sensitive local files or secrets to the skill unless you trust it. - Documentation: Ask the author to add an explicit install step (pip requirements and browser prerequisites) and to declare any optional environment variables (CHROME_PATH/EDGE_PATH) in the metadata. If you need higher assurance, request the author to: (1) declare required binaries/env vars in the registry metadata, (2) provide a reproducible install spec (pip requirements file or instructions), and (3) confirm which external network endpoints the renderer will access. Until then treat the skill as functionally coherent but operationally under-specified.

Like a lobster shell, security has layers — review code before you run it.

latestvk973zg0qkg6hc25grrjab6w2y58438sv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Knowledge Card Generator

Workflow

1. Parse Input Material

Accept any of: pasted text, file path, URL, or image.

  • If URL → fetch and extract main content by web_fetch tool
  • If file → read it
  • If image → OCR with paddleocr or LLM analyze visually

Extract 3–7 core knowledge points. Prioritize: definitions > mechanisms > examples > details.

2. Determine Card Type

Pick the best-fit type based on content nature:

TypeTrigger PatternStructure
概念卡 (Concept)Defines a term, theory, modelTerm → Definition → Analogy → Key Points
备忘卡 (Memo)Steps, commands, configs, referencesTitle → Ordered Steps → Tips / Gotchas
流程卡 (Process)Sequential workflow or lifecycleTitle → Phases → Steps per Phase → Output
对比卡 (Comparison)Compares 2+ itemsDimension → Item A vs Item B → Verdict

If unsure, default to Concept card.

3. Apply Cognitive Science Principles

Follow these when structuring the card:

  • Chunking: Group related info into 3–5 chunks max per section
  • Dual Coding: Pair text with a visual metaphor or emoji anchors
  • Elaboration: Add a "Why It Matters" or analogy section
  • Spaced Repetition Cue: End with a self-test question (❓)
  • Progressive Disclosure: Layer from simple to detailed

4. Generate Markdown

Use the template from references/card-templates.md. Output a single Markdown file.

Naming convention: kcard_<topic>_<type>.md (e.g., kcard_react-hooks_concept.md)

Save to user's specified path or default: ~/.openclaw/workspace/kcards/

5. Render to Image

Run the rendering script to convert the Markdown into a PNG:

python <skill-dir>/scripts/render_card.py <path-to-markdown> [--output <output.png>] [--theme <warm|cool|girly|tech>] [--width 800]

Default theme: warm. Default output: same path with .png extension.

The script:

  1. Parses Markdown to styled HTML
  2. Renders HTML to image via headless browser or html2image
  3. Returns the output path

Present the final image to the user.

Output Format

Always output:

  1. The Markdown source file (for editing/reuse)
  2. The rendered PNG image
  3. A brief one-line summary of what the card covers

Notes

  • Keep cards concise: one concept per card, maximum 195 words
  • Use Chinese or English based on input language
  • Emoji anchors are encouraged but keep them minimal (1–3 per section)
  • For batch requests, process cards sequentially and summarize all outputs

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…