Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Aetherviz Master
v1.0.0AetherViz Master - 互动教育可视化建筑师,将任意教学主题转化为极致美观、高度交互的专业教学网页
⭐ 0· 102·2 current·2 all-time
byliwu@liwu800729
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (convert teaching topics to interactive 3D webpages) align with the instructions: detailed guidance for Three.js, SVG, D3, KaTeX, UI layout and output HTML. The capabilities requested by the skill (no env vars, no installs) are reasonable for an instruction-only generator. However, SKILL.md inconsistently both lists CDN-based dependencies and strictly requires a 'zero-dependency' single HTML file, which is a functional mismatch (see instruction_scope).
Instruction Scope
The runtime instructions are long and prescriptive; they direct the agent to produce exactly one complete HTML file and 'zero-dependency' behavior while earlier sections enumerate CDN links (Three.js, KaTeX, Tailwind, D3). This is a contradiction: the agent must either inline third‑party libraries into the single file or reference external CDNs. That ambiguity could lead the agent to fetch external resources during generation or embed large minified libraries into output. The SKILL.md does not instruct reading system files, env vars, or contacting unexpected endpoints, but the CDN/zero-dependency conflict raises a risk of unexpected network activity or inclusion of third‑party code without explicit provenance.
Install Mechanism
No install spec and no shipped code files — instruction-only skill. This keeps disk and install risk low. There are no download URLs or extract operations in the skill manifest.
Credentials
No required environment variables, no credentials, and no system config paths requested. The skill does not ask for unrelated secrets or broad access.
Persistence & Privilege
Defaults (always:false, agent-invocation allowed) are normal and present. The skill does not request persistent system presence or to modify other skills or global agent settings.
What to consider before installing
This skill appears to legitimately describe a generator for interactive lesson HTML and does not request credentials or install anything — good. But SKILL.md contradicts itself: it lists external CDNs (Three.js, KaTeX, Tailwind, D3) yet also mandates a single self-contained HTML with 'zero-dependency' external files. Before installing or using it, consider the following:
- Ask the author (or check any implementation) how third-party libs will be handled: will the agent inline minified libraries into the single HTML, or will the generated HTML reference CDN URLs? Inlining produces very large files; referencing CDNs causes network fetches and external trust dependencies.
- If the generator references external CDNs, review the exact URLs in the produced HTML and confirm they point to official, pinned versions (no personal servers or shortened URLs). Avoid loading unknown remote scripts in sensitive environments.
- If the generator inlines libraries, inspect the produced HTML to ensure no unknown or obfuscated code was embedded (search for eval, data exfil endpoints, suspicious inline script blocks). Run the generated page in a sandboxed browser or VM first.
- Because the skill forces a single-file output and forbids any extra explanation, errors or hidden network calls may be harder to detect — test with small example topics first and manually inspect output.
Additional info that would change this assessment: explicit, consistent instructions describing whether and how third-party libraries are inlined or referenced (with exact trusted source URLs) would reduce ambiguity and move this toward 'benign'.Like a lobster shell, security has layers — review code before you run it.
latestvk979dwh3ndzy4pkgf487y8d7e183abpz
License
MIT-0
Free to use, modify, and redistribute. No attribution required.