ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OpenCV

v1.0.0

Computer vision and image processing using OpenCV WebAssembly. Uses opencv-component.wasm running in openclaw-wasm-sandbox plugin. Supports image processing,...

0· 71·0 current·0 all-time
by@guyoung
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description match the instructions: the skill expects an OpenCV WebAssembly component and the openclaw-wasm-sandbox plugin. Declared prerequisites (plugin + wasm file) are consistent with the stated functionality.
Instruction Scope
Runtime instructions are narrowly scoped to invoking the wasm component via wasm-sandbox-run and mapping workDir/mapDir for file I/O. The skill does instruct mapping arbitrary host directories into the sandbox (expected for image files) — this is normal for the task but increases the risk of exposing unrelated sensitive files if mappings are too broad.
!
Install Mechanism
No formal install spec is present; SKILL.md instructs downloading a WASM file from a raw.githubusercontent.com URL. While GitHub raw is a common host, the skill provides no checksum/signature or provenance guidance. Downloading and executing an externally-hosted WASM blob is moderate-to-high risk if unverified.
Credentials
The skill requests no environment variables, credentials, or config paths. This is proportionate to an image-processing WASM component. Note: the ability to map host directories into the sandbox effectively grants the component access to any mapped files.
Persistence & Privilege
No always:true flag, no install-time modifications described, and the skill is instruction-only. It does not request persistent elevated privileges via the metadata.
What to consider before installing
This skill appears to do what it says (run OpenCV in a WASM sandbox), but before installing or using it you should: 1) verify the WASM binary's provenance — prefer official releases or a checksum/signature; 2) avoid mapping wide host paths (don't expose your entire home or system directories); map only the specific image directories needed; 3) confirm the openclaw-wasm-sandbox enforces isolation (no network access and restricted file access) or explicitly limit allowed-outbound-hosts before running model/dnn operations; 4) if possible, inspect the WASM source or run it in a disposable environment first; and 5) prefer a skill that provides an install spec with signed artifacts or an official homepage/repository. These precautions reduce the risk of executing untrusted code or accidental data exposure.

Like a lobster shell, security has layers — review code before you run it.

latestvk9703spa3xkk1ehky6tdmy885x84c0cy

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments