Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
design-analysis
v1.0.0自动分析设计素材文件夹中的图片,生成多章节结构化HTML演示文档,支持自定义布局和页面尺寸。
⭐ 0· 220·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description promise '智能分析图片内容' (intelligent image content analysis). The implementation only scans filenames, modification times and inserts template text — there is no image-vision, OCR, or external model call. This is an overclaim: the required files and code are otherwise consistent with generating HTML from local images, but the advertised 'intelligent analysis' is not present in the code.
Instruction Scope
SKILL.md and run.js direct the agent to read a local input folder and write an output HTML file — which the code does. However, the skill accepts sections[].content as raw HTML and writes it directly into the generated file without sanitization; that means untrusted or injected HTML could cause unsafe content when the resulting HTML is opened (local XSS/phishing risk). run.js also logs the entire params object (including any context) to stdout.
Install Mechanism
No install spec is provided and the included install.sh only performs local checks and optional test runs. There are no remote downloads, package installations, or extract-from-URL steps. This is low-risk from an install-mechanism perspective.
Credentials
The skill requests no environment variables, no credentials, and package.json declares only file access capabilities (read/write/scan), which match the described purpose. There are no unrelated secrets or network permissions requested.
Persistence & Privilege
always:false and no mechanism to persist or modify other skills or system configuration. The skill reads/writes only the input/output paths provided; autonomous invocation is allowed by default but not combined with other high-risk capabilities.
What to consider before installing
This skill reads a local image folder and writes a single HTML presentation file; it does not call external networks or require credentials. Before installing or running it: 1) Understand it does not perform real image-vision analysis — its 'analysis' is template-driven based on filenames and timestamps. If you need true image content analysis, this skill does not provide that. 2) Be careful when passing sections[].content (HTML strings) or any untrusted inputs — they are embedded verbatim into the output HTML and could be used for malicious content when opened in a browser. 3) Run the provided install.sh/test locally first in a safe folder to observe behavior, and inspect generated HTML (and image paths) before sharing. 4) If you plan to let the agent invoke this skill autonomously, limit the input_folder/output_file to directories you control and avoid exposing sensitive files. If you want higher assurance, request the author add explicit image-content analysis code (e.g., a clear call to a vision library or model) or label the capability accurately.test.js:60
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk97cw253bfkq0221j8w9h4svq582sgca
License
MIT-0
Free to use, modify, and redistribute. No attribution required.