ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

blog-image-enricher

v1.0.0

Read a plain Markdown file (e.g. 260321_openclawConfig.md), generate header and section images using the default OpenClaw image model and API key from ~/open...

0· 59·0 current·0 all-time
byJeff Yang@j3ffyang
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's description and SKILL.md require using OpenClaw's default image model and an API key from ~/openclaw/.env and expect the 'image_generate' tool to be available. Registry metadata, however, declares no required config paths, no primary credential, and no required binaries — these capabilities are not reflected in the declared requirements.
!
Instruction Scope
Runtime instructions explicitly direct the agent to read a user's OpenClaw config file (~/openclaw/.env) and reuse an API key without prompting the user. That is outside the skill's declared surface and involves accessing secrets. Other file operations (reading the specified Markdown, writing a _img.md, creating/moving images into img/) are coherent with the stated purpose.
Install Mechanism
This is instruction-only (no install spec), which minimizes install risk. However, SKILL.md names a required tool ('image_generate') that the registry did not declare as a required binary; consumers should confirm that tool is present and trustworthy.
!
Credentials
The skill will access an API key stored in a config file (sensitive secret) but does not declare any required env vars or config paths in the metadata. Requesting secret access without declaring it is disproportionate and surprising to users.
Persistence & Privilege
The skill does not request permanent 'always' inclusion and does not claim to modify other skills or system-wide settings. File writes are limited to the specified output file and image directory.
What to consider before installing
This skill appears to need access to your local OpenClaw API key (~/openclaw/.env) and a local image generator, but the registry metadata does not declare those requirements. Before installing or invoking it: (1) confirm the skill explicitly documents and declares the config path and any credentials it will read; (2) only grant access if you trust the skill and the local 'image_generate' tool; (3) prefer the skill prompt you before reading or reusing any API key (explicit consent), or update the skill to accept a user-provided key at invocation; (4) if you are unsure, run it in a sandboxed environment or ask the author to add required config paths and binaries to the manifest so the behavior is transparent.

Like a lobster shell, security has layers — review code before you run it.

latestvk977k4w6h8asyw8p76n9g98fg983bxem

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments