ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Data Generator

v1.1.0

Data Generator / 数据生成器 - Generate training data from user instructions. Input: tool name + command list. Output: JSONL. / 根据用户指令生成训练数据。

0· 125·0 current·0 all-time
by@huaibuer
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description: data generation for training data — matches the code's purpose. Mismatch: SKILL.md and usage examples mention Excel input (excel_file) and prompt_template parameters; data_generator.py does not implement reading Excel files nor accept a prompt_template or excel_file parameter. The SKILL.md API and the actual code signature are not aligned.
!
Instruction Scope
SKILL.md instructs use with Excel and customizable prompts and shows a Generator.generate signature that accepts excel_file and prompt_template. The runtime code only accepts a list of commands and an optional output_file — it never reads Excel or any other files. Also the SKILL.md metadata declares python3 as required but does not declare any env vars, while the code reads MINIMAX_API_KEY, OPENAI_API_KEY and API_URL from environment.
Install Mechanism
No install spec; this is an instruction-only skill with a small Python file. No remote downloads or archive extraction are performed by the registry/install metadata. Low install risk.
!
Credentials
Registry lists no required env vars, but the code reads MINIMAX_API_KEY and OPENAI_API_KEY and an API_URL (default http://127.0.0.1:8766). The api_key is captured in Generator but is not added to request headers in the current code (so not actively leaked). However the skill posts prompts to a configurable base_url; if API_URL is set to a remote host that host will receive prompts and LLM outputs. The mismatch between declared and accessed env vars and the ability to point to an arbitrary endpoint increases risk.
Persistence & Privilege
always is false, skill is user-invocable, and there is no code that modifies system or other skills' configuration. No special persistence or elevated privileges requested.
What to consider before installing
This skill's code is small and readable, but there are important mismatches to be aware of: (1) SKILL.md advertises Excel input and a prompt_template parameter that the shipped Python file does not implement — so the documentation is unreliable. (2) The code reads MINIMAX_API_KEY / OPENAI_API_KEY and an API_URL env var (defaulting to http://127.0.0.1:8766). While the current code does not include the API key in request headers, it does send prompts and generated text to the configured API_URL. Before installing or using: - Review and run the Python file locally to confirm behavior. - Ensure API_URL (if set) points to a trusted host (prefer localhost or an internal LLM) and do not set secrets in environment unless you trust the endpoint. - Do not supply sensitive or proprietary data until you're satisfied where prompts are sent. - If you need Excel support or prompt customization, note the current implementation lacks those features — expect to modify or extend the code. If you want a fully aligned/safer experience, ask the author to fix the documentation or update the code so declared inputs match implemented behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk978rprswyd0st1hgerqwhwm89837r74

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📝 Clawdis
Binspython3

Comments