ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Local GMNCODE Vision

v1.0.0

当内置 image 工具不可用、但本机配置了 GMNCODE_API_KEY 时,使用本地脚本直连 GMNCODE Responses API 完成图片理解。适用于角色识别、图片描述、风格分析、截图理解等任务。

0· 77·0 current·0 all-time
by@io2077
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md says the skill is a local fallback that directly calls the GMNCODE Responses API and depends on GMNCODE_API_KEY, which is coherent with the described purpose. However, the package metadata lists no required environment variables and no primary credential, and the actual helper script (/home/ubuntu/.openclaw/workspace/scripts_gmncode_image.py) is not included in the skill bundle. The missing declaration of the API key and the absent script file are inconsistencies.
!
Instruction Scope
Runtime instructions explicitly tell the agent to run an absolute-path local script. Because the skill bundle does not include that script, the agent would execute an external, unseen file on disk. The instructions rely on the GMNCODE_API_KEY env var and on network access to an external API (implied), but provide no details about what the script does or what data it sends/receives.
Install Mechanism
There is no install spec and no code files in the bundle (instruction-only), so the skill itself does not place new binaries on disk. That lowers supply-chain risk. However, the skill's value depends on a separate local script outside the bundle, which raises operational risk because that external script is unreviewed.
!
Credentials
The instructions declare a dependency on GMNCODE_API_KEY (sensitive credential) but the skill's declared requirements list no environment variables and no primary credential — an evident mismatch. Requesting an API key for the stated purpose is reasonable, but the lack of metadata and lack of included script means you cannot verify how that key would be used or where data might be sent.
Persistence & Privilege
The skill is not marked always:true and does not request persistent installation or system-wide config changes. It is user-invocable only. Autonomous invocation is allowed by default but is not combined here with other elevated privileges.
What to consider before installing
Do not run or grant secrets for this skill until you or the publisher supply and you review the referenced script (/home/ubuntu/.openclaw/workspace/scripts_gmncode_image.py). Specifically: (1) Inspect the script source to confirm what network endpoints it calls, what data it sends, and whether it logs or transmits your files or environment variables. (2) Confirm why the package metadata omitted GMNCODE_API_KEY and request that the skill declare required env vars and include or link the script source. (3) If you must test, use a limited-scope or disposable GMNCODE_API_KEY and run in an isolated environment. (4) Prefer the official image provider when available and rotate or revoke any key used for testing. If the publisher cannot provide the script source or a trustworthy explanation, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ffydnrkg9vf21kka9e7qrd183hp3z

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments