Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
pretext
v1.0.1精准文本测量与布局引擎(基于开源 Pretext)。无需触碰 DOM,纯算术计算文本像素高度,支持中文、CJK、emoji 等多语言。多用于前端虚拟滚动、AI 生成 UI 布局预计算、Canvas 渲染等场景。当用户需要计算文字在指定宽度下的高度、判断换行行数、或精确布局文本时调用此 Skill。
⭐ 0· 97·0 current·0 all-time
byFreyr@markcookie
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the delivered artifacts: package.json declares @chenglou/pretext and optional canvas, and the scripts implement measuring, layout, batch, rich-text and canvas helpers. Required binary is only node which is appropriate for a Node.js-based text-measurement skill.
Instruction Scope
SKILL.md instructs the agent to run local node scripts (measure.js, batch.js, layout-lines.js, etc.) and to optionally paste generated snippets into a browser. This is consistent with the stated purpose. Caution: measure-browser.js emits code/snippets that instruct loading pretext from an external CDN (unpkg) intended for browser evaluation — that has the usual risks of executing remotely-hosted JS if pasted into a browser console.
Install Mechanism
There is no platform install spec, but scripts/install-deps.js will execSync npm install to pull @chenglou/pretext and canvas. This is expected for a Node skill, but it downloads packages from npm/unpkg at install/runtime — users should be aware this fetches third-party code and that node-canvas may require system libs. The install uses standard npm commands (no obscure URLs or shorteners).
Credentials
The skill requests no environment variables, no credentials and no config paths. The code only relies on the Node runtime and optional native canvas libs; that is proportionate to the functionality.
Persistence & Privilege
The skill is not always-enabled and does not request elevated or persistent agent/system privileges. It does not modify other skills' configs. Its install helper modifies only files in its own skill directory (npm modules).
Scan Findings in Context
[unicode-control-chars] unexpected: The pre-scan flagged unicode control characters inside SKILL.md. This is not necessary for a measurement skill and may be used to obfuscate or change how the document is rendered. The files themselves (scripts/*.js, package.json) do not need hidden control characters to function; recommend manually inspecting SKILL.md for invisible characters before installing or running anything produced by it.
Assessment
This skill appears to do what it claims: Node scripts implement Pretext-based text measurement and require only Node (and optionally node-canvas for higher fidelity). Before installing or running it: 1) Inspect SKILL.md for hidden/unexpected characters (the scanner found unicode control chars). 2) Run install-deps.js (or run npm install manually) inside a sandbox or on a dev machine — it will download @chenglou/pretext and optionally canvas from npm/unpkg. 3) Be aware node-canvas may need system libraries (Cairo/Pango) and npm install will run network requests. 4) If you plan to paste browser snippets produced by measure-browser.js, review those snippets and avoid pasting unknown scripts into production browsers; they load code from unpkg. 5) If you need higher assurance, verify the @chenglou/pretext package/version on npm/GitHub and audit dependencies before use.scripts/install-deps.js:41
Shell command execution detected (child_process).
scripts/test-compare.js:25
Shell command execution detected (child_process).
scripts/test-zh-en.js:20
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
ai-uivk97bp3f8pb3mqy03ra6sr18yas84gmwncanvasvk97bp3f8pb3mqy03ra6sr18yas84gmwnchinese-textvk97bp3f8pb3mqy03ra6sr18yas84gmwnfrontendvk97bp3f8pb3mqy03ra6sr18yas84gmwni18nvk97bp3f8pb3mqy03ra6sr18yas84gmwnlatestvk97bp3f8pb3mqy03ra6sr18yas84gmwnlayoutvk97bp3f8pb3mqy03ra6sr18yas84gmwnnodejsvk97bp3f8pb3mqy03ra6sr18yas84gmwntext-measurementvk97bp3f8pb3mqy03ra6sr18yas84gmwnvirtual-scrollvk97bp3f8pb3mqy03ra6sr18yas84gmwn
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📐 Clawdis
Binsnode