ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Color Toolkit

v1.0.0

Convert, analyze, and generate colors from the CLI. Supports HEX, RGB, HSL, HSV, CMYK conversion, WCAG contrast ratio checking (AA/AAA compliance), palette g...

0· 75·0 current·0 all-time
byJohn Wang@johnnywang2001
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the included artifacts: the SKILL.md documents a CLI Python tool and the repository contains a Python script implementing color parsing, conversion, contrast checks, palette generation and manipulation. The requested surface (no env vars, no binaries, no installs) is proportional to the stated purpose.
Instruction Scope
SKILL.md instructs the agent to run the bundled Python script with straightforward CLI arguments; the instructions do not request reading unrelated files, environment variables, or contacting remote endpoints. However, the presented script output is truncated near the end, so it's not possible to fully confirm there are no extra runtime behaviors beyond what's shown.
Install Mechanism
No install spec is present (instruction-only), and the code claims to be pure Python with no external dependencies. This is low-risk and proportionate for a small CLI utility.
Credentials
The skill declares no required environment variables, credentials, or config paths, and the visible code does not access environment variables or secret-containing paths. This is proportionate for the described functionality.
Persistence & Privilege
Skill is not set to always: true and uses normal, user-invocable/autonomous invocation defaults. It does not request elevated persistence or modify other skills/configs in the visible content.
What to consider before installing
The skill appears coherent and implements a local Python color toolkit with no strange permissions or network calls in the visible code. However, the provided script was truncated in the submission — you should inspect the full scripts/color_toolkit.py file before installing or running. Steps to reduce risk: (1) open the complete file and search for imports like urllib, requests, socket, subprocess, os.system or any code that reads files outside its scope; (2) verify the file length matches the declared size and there is no appended/obfuscated payload; (3) run the script in an isolated environment (container or VM) if you plan to execute it; (4) optionally run a linter/static analyzer to surface hidden issues. If the full file matches the excerpt and contains no networking/subprocess/file-exfiltration logic, the skill is reasonable to use.

Like a lobster shell, security has layers — review code before you run it.

latestvk972jbcbyyf3c2btpx4y6axg8983d7fm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments