ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Local GMNCODE Vision Pro

v1.0.0

Advanced local vision infrastructure for agents when built-in image tools are unavailable or unreliable. Use for batch image analysis, structured JSON output...

0· 54·0 current·0 all-time
by@io2077
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The name/description emphasize a local/professional offline fallback, but the included scripts POST base64-encoded images to https://gmncode.cn/v1/responses using a GMNCODE_API_KEY. Requiring an external API key and network calls contradicts the 'local' implication. Additionally, SKILL.md lists GMNCODE_API_KEY in Dependencies while the registry metadata shows no required env vars — a clear mismatch.
!
Instruction Scope
Runtime instructions point to local scripts that read arbitrary image file paths and invoke the bundled Python scripts. The scripts encode whole images and transmit them to an external endpoint without any SKILL.md warning about external transmission or privacy/retention. SKILL.md also hardcodes absolute paths under /home/ubuntu, which may not be valid for other environments.
Install Mechanism
There is no install spec (lower install risk), but code files require Python and the 'requests' library which are not declared. No downloaded or extracted binaries are present, but the lack of dependency declaration may cause runtime failures or unexpected behavior.
!
Credentials
The code reads GMNCODE_API_KEY from the environment (and will fail without it), yet the registry metadata does not declare any required env vars or a primary credential. Asking for an API key that grants a third-party service the ability to receive full image payloads is a high-impact secret and should be explicitly declared and justified.
Persistence & Privilege
The skill is not always-enabled, does not request system-wide persistence, and has no install script that modifies other skills or global agent configuration.
What to consider before installing
Do not install or provide credentials to this skill until you are comfortable with the external transmission of images. Key points to consider: - This skill is NOT truly local: it base64-encodes images and sends them to https://gmncode.cn. Treat this as sending sensitive data to a third party. - Registry metadata omits the required GMNCODE_API_KEY; the discrepancy is suspicious and should be fixed or explained before trusting the skill. - If you need to evaluate safely: inspect/modify scripts locally, run them with non-sensitive test images, and monitor network traffic to confirm endpoints. Only supply an API key if you trust the gmncode.cn service and its privacy/retention policies. Prefer a version that performs inference locally (no network) if you require true local processing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97145m2f19156bpkp4y64j5kd83g03e

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments