ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

bd test

v0.0.1

Manage skills for visual understanding: register, list, invoke, and delete detection skills. Supports person detection, pedestrian counting, vehicle recognit...

0· 166·0 current·0 all-time
byPower Lin@linpower
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description say this manages and invokes visual-detection skills via local Node scripts (invoke.mjs, visualize.mjs, etc.). That purpose would legitimately require Node.js, the referenced script files and example assets, and API credentials for the platform — but the skill declares no required binaries, no required env vars, and provides no code files. The declared footprint does not match the described capability.
!
Instruction Scope
SKILL.md instructs running node scripts that read images, write visualizations, and use ROI/tripwire workflows. It also references many local docs (roi-workflow.md, tripwire-workflow.md, types-guide.md, examples/) that are not included. The instructions also tell you to 'Get API Key' but give no detail how/where the key is stored or used. The runtime instructions therefore assume access to files, binaries and credentials that are not declared or packaged.
!
Install Mechanism
There is no install spec and no code files. For a tool that instructs running Node scripts, an install step (or at least bundling the scripts) would be expected. Absence of any install or packaged code means the SKILL.md is incomplete or is relying on external, unbundled artifacts — this is risky and incoherent.
!
Credentials
The doc explicitly mentions an API key and 'ep-id' but requires no environment variables or credentials in metadata. That mismatch is suspicious: the skill will likely need platform credentials (API key/token) and possibly endpoint configuration, but does not declare them or explain how they are provided. Users would need to know where to place secrets and whether the skill will send images or results to external services.
Persistence & Privilege
The skill does not request always-on presence and uses default autonomous invocation settings. There is no indication it modifies other skills or system-wide settings. This dimension does not raise additional concerns.
What to consider before installing
This SKILL.md looks like documentation for a Node-based visual-detection toolkit, but the package is missing the actual scripts, docs, and explicit credential instructions. Before installing or enabling: 1) ask the publisher for the missing files (scripts/*.mjs and the referenced md/docs) or a clear install step; 2) confirm whether Node.js is required and which binaries will be executed; 3) ask where the API key/ep-id should be stored (env var name or config file) and whether any data (images/results) will be sent to an external service; 4) prefer skills with a known homepage/source and included code or an install script you can audit. Because of these inconsistencies, treat this skill as incomplete and avoid enabling it until the missing artifacts and credential usage are clarified.

Like a lobster shell, security has layers — review code before you run it.

latestvk97eyvpvt1p1djnk8sj7pfe4cx82vy9g

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments