Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Mml
v1.0.0Build 3D scenes and interactive experiences using MML (Metaverse Markup Language) for the Otherside metaverse and other MML-compatible environments. Use when...
⭐ 0· 440·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description (building MML scenes) align with the provided SKILL.md and references. Required env vars/binaries/install steps are absent as expected for a documentation/instruction-only skill.
Instruction Scope
SKILL.md is a full language/reference and includes examples that use inline <script> (DOM APIs), event handlers, m-frame embedding, remote src URIs (models, audio, video), and probes that expose nearby user positions/chat. Those capabilities are expected for a scene-building language, but they allow arbitrary client-side JS and remote fetches — a runtime concern (privacy/exfiltration) outside the skill itself.
Install Mechanism
No install spec and no code files — lowest-risk delivery. Nothing is downloaded or written to disk by the skill itself.
Credentials
No environment variables, credentials, or config paths are requested. The declared requirements are proportional to a documentation-only skill.
Persistence & Privilege
always is false and autonomous model invocation is default. The skill does not request persistent presence or modify other skills/configuration.
Assessment
This skill is basically documentation for MML and appears internally consistent with that purpose. Before using or deploying MML content produced with it, consider: (1) inline <script> and event handlers allow arbitrary JavaScript in the renderer — review and sanitize any scripts to avoid data exfiltration, unauthorized network calls, or malicious logic; (2) m-frame and remote src attributes can fetch arbitrary remote resources (models, audio, video, MML docs) — avoid loading untrusted hosts and check CORS/sandboxing; (3) m-position-probe and m-chat-probe expose user presence/chat data — only use with explicit user consent and in trusted environments; (4) the SKILL.md references a local compiled reference path and the skill has no provenance/homepage — if provenance matters, ask the publisher for source or prefer an official reference. If you plan to render scenes in a shared or production environment, test in an isolated environment first and ensure the client renderer applies appropriate sandboxing and network restrictions.Like a lobster shell, security has layers — review code before you run it.
latestvk978x7yj4v7zcr20njgk4wr3qx81s4gt
License
MIT-0
Free to use, modify, and redistribute. No attribution required.