ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Vision Analyzer

v1.0.1

Analyze images using Ollama Cloud's Kimi K2.5 vision capabilities. Use when user wants to describe, understand, or get information about an image. Works with...

0· 54·0 current·0 all-time
by@kawummuwe-stack
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's name, SKILL.md, and script consistently state it uses Ollama Cloud's Kimi K2.5 model to analyze images — that purpose matches the implementation. However, the registry metadata lists no required environment variables while both SKILL.md and the script require OLLAMA_API_KEY; this metadata omission is an incoherence and reduces transparency. The source/homepage are also missing, which makes provenance unclear.
Instruction Scope
Runtime instructions are narrow and consistent: run the included Python script with a local image path and optionally a prompt. The script only reads the supplied image path and the OLLAMA_API_KEY env var, base64-encodes the image, and posts it to https://ollama.com/api/generate. This is within the stated purpose, but it does transmit the full image (and prompt) to a third party — a privacy exposure users should consider.
Install Mechanism
No install spec is provided (instruction-only plus a small Python script). Nothing downloads arbitrary code at install time and no archives or external install URLs are used. The script will run with the existing python runtime; this is low install risk.
!
Credentials
The script legitimately requires a single API key (OLLAMA_API_KEY) to call Ollama Cloud, which is proportionate to the stated function. However, the registry metadata incorrectly lists no required env vars — a transparency issue. Also, providing that API key grants the skill (and Ollama) access to any image data you send; users should confirm acceptable data handling and token scope before supplying sensitive images or reuse of high-privilege keys.
Persistence & Privilege
The skill is user-invocable, not always-enabled, and does not attempt to change system settings, other skills, or request elevated privileges. It does not persist credentials or modify other configs.
What to consider before installing
This skill's code matches its description: it reads a local image and posts it (base64) to Ollama Cloud using OLLAMA_API_KEY. Before installing, verify the skill's provenance (source/homepage missing), confirm you are comfortable sending images (potentially sensitive) to Ollama, and only provide an API key with appropriate, limited scope or a throwaway key for testing. Also ask the publisher to update the registry metadata to declare OLLAMA_API_KEY as a required env var so the permissions are transparent.

Like a lobster shell, security has layers — review code before you run it.

latestvk97chjs2225b9vpqx0yz3qcb7184fzdz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments