ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

image-face-recognition

v1.0.0

Recognize and identify faces

0· 106·0 current·0 all-time
by@jpengcheng523-netizen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill name and description (face recognition) are plausible, but the SKILL.md expects a local script (scripts/image_face_recognition.py) and an API key. The published bundle contains no code, no binaries, no install, and the registry metadata declares no required env vars or credentials — that mismatch is incoherent with the stated purpose.
!
Instruction Scope
Runtime instructions are narrowly scoped (run a python script, set RECOGNITION_API_KEY, output JSON) and do not ask to read unrelated system files. However the instructions reference a non-existent script path and an API key without specifying the service/endpoint, which is ambiguous and could cause the agent to attempt undefined behavior or require out-of-band resources.
!
Install Mechanism
There is no install spec (lowest-risk pattern), but because the instructions expect a local Python script that is not included, the skill as-published is incomplete. This makes it unclear what will actually execute if the agent follows the instructions or if a user supplies their own script (potential safety/verification gap).
!
Credentials
SKILL.md tells users to export RECOGNITION_API_KEY, yet the skill metadata lists no required env vars or primary credential. Requesting an API key is plausible for a recognition service, but the absence of metadata and the lack of any service details make this request disproportionate and unexplained.
Persistence & Privilege
No elevated privileges requested: always is false, no config paths or system-wide changes are described, and the skill is user-invocable. There is no evidence it would persist or modify other skills or system settings.
What to consider before installing
This skill is incomplete and inconsistent. Before installing or using it, ask the publisher for: (1) the missing code (scripts/image_face_recognition.py) or a clear install procedure; (2) which external recognition service the RECOGNITION_API_KEY is for and why it's needed; (3) a declaration of required env vars/primary credential in the registry metadata; and (4) a trustworthy source/homepage and license. Do not export sensitive API keys into shared shells unless you trust the source; prefer using a scoped key, ephemeral credentials, or secrets management. If the publisher cannot provide clarifying details and signed code, treat the skill as untrusted and avoid running arbitrary scripts it references.

Like a lobster shell, security has layers — review code before you run it.

latestvk977xh6ygygtm76943czd23d1n83jebf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments