Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
HPR Solver
v0.0.9Solve optimization & planning problems using natural language. Just describe what you need — fast, accurate, and built for AI agents.
⭐ 0· 177·0 current·0 all-time
byjiawei_polyu@ljw2024polyu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description claim LP solving with HPR-LP and Julia, which matches the Julia/JuMP usage and hprlp_solve.sh script. However, the package also contains a Python 'hybrid' parser that calls an external LLM endpoint (openrouter.ai) to generate Julia code; that networked LLM fallback is not mentioned in SKILL.md or README and is not obviously required for an HPR-LP solver (the skill could parse NL locally or ask the user). The README additionally claims "No custom code is executed," which contradicts the presence of scripts in the bundle.
Instruction Scope
SKILL.md instructs running Julia and local solver scripts and does not describe any remote LLM calls. The included scripts (scripts/hpr_hybrid.py) contain an LLM_API_URL and model name and appear to send problem text to a third-party API as a fallback parser — this could transmit user problem text externally. The shell script uses absolute user-specific paths (/home/ljw/...), which differ from the tilde-paths in SKILL.md and README and could fail or lead to unintended file access if executed as-is.
Install Mechanism
No formal install spec in registry metadata (instruction-only), which is low-risk. README suggests manual git clone of upstream HPR-LP and installing Julia — these are from official sources. However, the bundle does include executable scripts that would be run; there is no automated installer but the code would be executed by the agent if invoked.
Credentials
Metadata declares no required env vars, but the Python script references an external LLM endpoint and likely needs an API key (not declared). The skill may therefore expect credentials (e.g., OpenRouter API key) or rely on network access without disclosing it in SKILL.md/README. That mismatch between declared environment requirements and actual code is concerning because it can lead to unintended secret use or data exfiltration.
Persistence & Privilege
The skill is not marked always:true and does not request system-wide persistence. It does contain scripts that, if executed, call local Julia binaries and run solver scripts; there is no evidence it modifies other skills or agent-wide settings. The hard-coded /home/ljw paths are brittle but not an elevated privilege request.
What to consider before installing
This skill contains local solver scripts (expected) but also a Python 'hybrid' parser that calls an external LLM (openrouter.ai) and includes hard-coded user paths. Before installing or using it: 1) Inspect scripts/hpr_hybrid.py fully to see whether it sends problem text or other data to the remote LLM and whether it expects an API key in an env var (the skill metadata does not declare any). 2) If you don't want your problem descriptions sent outside your environment, do not run the hybrid parser; instead run the local Julia hprlp_solve.jl directly after installing Julia and HPR-LP manually. 3) Fix hard-coded paths (e.g., /home/ljw) to point to your environment or use the tilde-based paths described in the README. 4) Ask the maintainer to document any remote network calls and required environment variables (API keys) in SKILL.md and to remove or make the LLM fallback explicit and opt-in. If the author confirms there are no remote calls or that the LLM fallback is removed/opt-in, the concerns would be largely resolved.Like a lobster shell, security has layers — review code before you run it.
latestvk97egc4pnc7m0azaqgsdk485kh8388kpoptimization, solver, linear programmingvk978663dz7gjkjvpt1vsn6sss9832d0fsolver, optimization, planning, scheduling, natural-language, aivk97d7pew2mc8mhw9kz1fnhnjg9833ke6
License
MIT-0
Free to use, modify, and redistribute. No attribution required.