ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Fashion Designer

v1.0.1

Use this skill when users need outfit advice or shopping suggestions for clothing, shoes, accessories, or bags. You will provide fashion outfit options based...

0· 61·0 current·0 all-time
by@jasontujun
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Skill purpose (outfit/shopping recommendations) is consistent with instructions to fetch product data, match outfits, and produce messaging/docs. However, the SKILL.md presumes capabilities (downloading images with curl, writing USER.md, uploading to Feishu via feishu_doc_media or feishu_update_doc, using agent-browser or a built-in web-scraper) that are not declared in the skill metadata (no required binaries, no required env vars, no required config paths). Also SKILL.md alternately references `configs.json` while the package includes `config.json` (filename mismatch).
!
Instruction Scope
Runtime instructions tell the agent to: scrape up to two external shopping sites, download product images to /tmp using curl, create and update a persistent USER.md with user profiles, and upload images into Feishu documents using feishu_doc_media and feishu_update_doc. These actions involve network I/O, local file writes, and access to IM message context (open_id). The instructions do not limit or justify access scope (no privacy/retention guidance beyond deleting /tmp images) and assume availability of tools and message context not guaranteed by metadata.
Install Mechanism
No install spec and no code files — instruction-only skill. Low install risk because nothing is downloaded or written by an installer. The runtime still expects external skills/tools to be present.
!
Credentials
The SKILL.md requires Feishu-specific operations (image upload, message context open_id) that imply Feishu credentials/tokens, but the skill declares no required environment variables or primary credential. It also expects system binaries like curl and write access to /tmp and local filesystem (USER.md) without declaring these requirements. Absence of declared credentials and config paths makes it unclear what secrets or permissions the agent will need at runtime.
Persistence & Privilege
The skill will persist user profiles to a USER.md file and update Feishu documents across sessions (intended continuous learning). It does not request always:true or modify other skills, but persistent local storage of user profiles is a privacy consideration that the metadata does not disclose or scope.
What to consider before installing
Things to consider before installing: - The skill expects to download images (it uses curl in instructions), write a persistent USER.md, and upload images to Feishu — but it did not declare required binaries or Feishu credentials. Confirm your agent environment actually provides curl, filesystem write access, and the Feishu integration (and understand which Feishu tokens/credentials will be used). - The skill will store personal profile data locally (USER.md) and update remote Feishu documents. If this contains sensitive info, decide where it should be stored and for how long. Ask the skill author to declare config paths, retention, and encryption policies. - The SKILL.md references `configs.json` but the repo contains `config.json` — verify filenames and the shopping-site list before letting the agent scrape sites. Review the configured shop URLs yourself to ensure they are expected. - If you plan to allow autonomous invocation, be aware the agent can fetch external sites and post/update Feishu documents on your behalf; only enable this skill if you trust it and/or run it in an environment with appropriate network and credential controls. - Recommended remediation before use: request that the author update metadata to list required binaries (curl), required credentials/env vars for Feishu, and the config path for USER.md (or allow explicit user confirmation before storing profiles).

Like a lobster shell, security has layers — review code before you run it.

latestvk97124cvbtqkxc9yh8erwhrjw183qp6w

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments