ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Create your persanal travel-map

v1.0.1

Generate illustrated travel itinerary maps in Studio Ghibli/Miyazaki anime style. Creates a hand-drawn style map PNG with cartoon POI illustrations placed at...

0· 27·0 current·0 all-time
by@kensonh
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Ghibli-style travel-map generator) align with included assets and scripts: stylization, compositing, coordinate math, and icon generation. No unrelated credentials, binaries, or surprising dependencies are declared.
Instruction Scope
Runtime SKILL.md stays within map-generation scope: it collects city/POI info, optionally uses WebSearch/browser-agent to fetch POIs and Google Maps screenshots, and runs local Python scripts to stylize and composite images. Note: it instructs the agent to use networked tools (WebSearch, browser-agent, ImageGen) and to write temporary files under /tmp — expected for this task but worth noting because external web scraping and screenshots will contact third-party services (Google Maps and ImageGen).
Install Mechanism
No remote download of arbitrary code; installer is a local shell script that copies the skill directory into platform-specific config paths. It removes any existing directory at the target path before copying. Dependency installer (install_deps.py) runs pip to install Pillow (network access). This is expected for a skill but be aware the installer will modify user platform config directories and can delete an existing installation at that path.
Credentials
No required environment variables, credentials, or config paths are requested. The skill does not ask for unrelated secrets or cloud keys — dependency installation is limited to Pillow.
Persistence & Privilege
always:false and default model-invocation behavior. The installer makes the skill persistent by copying files into assistant platform directories (typical for skills). It does not modify other skills' configs or request elevated system privileges.
Assessment
This skill appears internally consistent with its stated purpose. Before installing: (1) Inspect the files locally (especially install.sh and the scripts folder). (2) Run install.sh with --dry-run first or install only for a single, known platform rather than --all to avoid unexpected copies/deletions. (3) Be aware install_deps.py will call pip and download Pillow from PyPI — run that in a virtual environment if you prefer isolation. (4) The skill uses WebSearch/browser-agent to scrape Google Maps URLs and uses ImageGen for image generation — these require network access and interact with third-party services. (5) If you have legal/privacy concerns about generating images in a named artist’s style, consider whether that is acceptable for your use. If you want additional assurance, run the scripts in a sandbox and inspect scripts/security_scan.py before allowing the skill to be installed system-wide.
scripts/security_scan.py:68
Dynamic code execution detected.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk9735n73kj8x972290wz1ysvth843f6n

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments