ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Look

v2.3.0

Convert user images into validated action drafts like calendar events, meal macros, receipts, products, civic reports, or documents for confirmation and exec...

0· 40·0 current·0 all-time
byIndigo Karasu@indigokarasu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated goal (convert user images into drafts) matches most of the described behavior (OCR, draft generation, journals). However, SKILL.md instructs the agent to emit Signal files into ~/openclaw/db/ocas-elephas/intake and to self-update from a GitHub repo. The skill.json filesystem section only declares read/write for ~/openclaw/data/ocas-look/ and ~/openclaw/journals/ocas-look/ and does not mention the elephas intake DB path or any mechanism for self-updates. Writing into another skill's DB directory and auto-update behavior are not justified by the manifest and are disproportionate to the stated needs.
!
Instruction Scope
Runtime instructions include: creating/ensuring ~/openclaw/db/ocas-elephas/intake/ exists and writing Signal files there; registering a daily cron job (look:update) to pull updates from GitHub; creating and writing journals and JSONL event/decision files. The cron/self-update and writing into another skill's intake are out-of-band actions relative to the declared read/write scope and grant the skill the ability to modify system state and other skill data. The instructions also indicate external research (Sift) and optional web validation, which implies network activity not enumerated in the manifest.
Install Mechanism
There is no install spec and no code files in the package (instruction-only), which is low-risk for disk-write/execution. However, the SKILL.md and README reference pulling code from a GitHub repo and a self-update command. That implies the agent or the skill intends to fetch external code at runtime; instruction-only packaging plus an on-demand updater increases the risk surface because fetched code would not have been present at static review.
Credentials
The skill declares no required environment variables or credentials, which is appropriate for an image-to-draft tool. It will, however, process potentially sensitive data (images with EXIF including GPS/time) and store journals and artifacts locally. The skill intends to write into another skill's intake directory (Elephas), which is a cross-skill write not declared in the manifest and could lead to unexpected propagation of extracted entities to other systems; no additional credentials are requested but the data sensitivity is high.
!
Persistence & Privilege
SKILL.md/README explicitly state registration of a daily cron job (look:update) for self-updates. Registering cron jobs (system-level scheduled tasks) and performing automatic pulls from a GitHub source are persistent privileges beyond typical read/write of a skill's own data files. The skill manifest does not declare or justify this persistence, nor does it list the target repo or verify signing. This combination (auto-update + write-to-other-skill paths) increases the blast radius if the update source were compromised.
What to consider before installing
What to consider before installing: - Cron and self-update: The skill asks the agent to register a daily cron job that pulls code from GitHub. Automatic self-updates can change behavior after installation; only accept this if you trust the upstream repo and are comfortable with scheduled remote fetches. Prefer requiring manual updates or code signing verification. - Cross-skill writes: The instructions create/write files under ~/openclaw/db/ocas-elephas/intake/, which is outside the declared filesystem permissions. Confirm you want this skill to write into another skill's intake directory (that will propagate extracted entities to other components). - Sensitive data: The skill will ingest images and EXIF (location/time). Even though it doesn't request credentials, it will store journals and artifacts locally; review retention settings in config.json (default 30 days). If you handle sensitive images, audit where journals/artifacts are written and consider stricter retention. - External code fetch: Because the package is instruction-only but references a GitHub repo and self-update, the agent may fetch code at runtime that wasn't reviewed. If you want to proceed, inspect the referenced GitHub repo (https://github.com/indigokarasu/look) to verify source and review update mechanism. - Manifest mismatch: Ask the publisher to update skill.json to declare any additional filesystem paths (elephas intake) and to explicitly describe and optionally disable the auto-update cron. That alignment would reduce ambiguity and make the skill closer to benign. What would change this assessment to 'benign': a manifest that explicitly declares all filesystem writes (including elephas intake), a documented, auditable, and optional update mechanism (no silent cron installs), and either inclusion of the code for static review or a signed, verifiable update process.

Like a lobster shell, security has layers — review code before you run it.

latestvk9734sajdkv46j5z7k6vchpy0h83sw3j

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments