ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Horse Sticker Maker

v1.0.0

Create and deploy a festive Chinese New Year (Year of the Horse 2026) animated GIF sticker maker web app. Use when the user wants to generate custom horse-th...

0· 657·0 current·0 all-time
by@jiafar
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The stated purpose (client-side GIF sticker generator + optional AI-generated images/poems) matches the included code: there are Next.js routes that call AI image/text APIs and client pages that render GIFs. However the skill metadata declares no required environment variables or credentials while the server code expects Google API keys (GOOGLE_API_KEY and GEMINI_API_KEY). Also package.json includes native/image-processing dependency 'sharp' and a server-side GIF encoder ('gif-encoder-2') even though the SKILL.md emphasizes client-side gif.js usage — this is disproportionate / inconsistent with the simple client-focused sticker maker description.
!
Instruction Scope
SKILL.md's quick start omits any instruction to set API keys or environment variables, yet the two API routes reference process.env.GOOGLE_API_KEY and process.env.GEMINI_API_KEY at top-level. That mismatch means the app can crash or log errors at runtime. The SKILL.md also describes background removal via 'sharp' but none of the server routes call sharp — another mismatch between instructions and code. The runtime instructions do use an external CDN (jsdelivr) for gif.js which is expected for client-side encoding.
Install Mechanism
There is no install spec (instruction-only install), so nothing is downloaded by the installer. Runtime uses gif.js from jsdelivr CDN (expected for client-side GIF encoding). However package.json includes 'sharp' (a native binary requiring build/install) and 'gif-encoder-2' which are heavier than necessary for a purely client-side generator — these dependencies may cause build friction or imply server-side image processing that the SKILL.md/code does not clearly use.
!
Credentials
The code requires at least two environment variables (GOOGLE_API_KEY and GEMINI_API_KEY) though the skill metadata declares none. Both keys appear to be for Google generative APIs but are named differently across routes (inconsistent). Keys are appended as query parameters in fetch calls (key=...), which can leak to logs or proxies. The number and naming of env vars are not explained in SKILL.md, so credential requirements are under-declared and therefore disproportionate to the documentation.
Persistence & Privilege
The skill does not request persistent/always-on privileges (always:false) and does not modify other skills or system settings. Autonomous invocation is allowed (platform default) and is not by itself a concern here.
What to consider before installing
This skill implements a Next.js project that calls Google generative APIs and produces client-side GIF stickers, but it does not declare the API keys the server code requires. Before installing or deploying: 1) Do not deploy to a public host without setting environment variables — the server files expect GOOGLE_API_KEY and GEMINI_API_KEY at runtime and will fail or error if missing. 2) Confirm which single API key(s) you should provide (the code is inconsistent about key names and endpoints). Prefer setting keys as platform environment variables (e.g., Vercel Dashboard) rather than embedding them in code or in URLs. 3) The code sends keys as query parameters (key=...), which can expose them in logs — consider changing to Authorization headers. 4) Review whether you actually need 'sharp' and 'gif-encoder-2' dependencies; 'sharp' is a native module that requires build tooling and is not clearly used in the provided routes. 5) Audit the included routes for leaking any returned data to third parties; confirm you are comfortable granting Google generative API access (costs, quotas, privacy). 6) If you plan to use this on a shared/production site, update the SKILL.md to document required env vars, and audit/standardize the API endpoints and key usage. If you are not comfortable with these inconsistencies, do not deploy until they are resolved.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ds31ecf5tjzsn7xxh1hbhgn81bwxh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments