ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Snipgrapher - generate images from code snippets

v0.1.0

Configure and use snipgrapher to generate polished code snippet images

0· 530·0 current·0 all-time
byMatteo Collina@mcollina
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the contents: all files describe configuring and running a CLI (snipgrapher) to render code snippets. Required env/config suggestions are relevant to rendering and profiles. Nothing asks for unrelated services or credentials.
Instruction Scope
Instructions are narrowly scoped to installing, initializing, configuring, and running the snipgrapher CLI (render, batch, watch, init, doctor). They reference project config files and suggest env vars relevant to rendering; no unexpected file reads, system-wide config changes, or external endpoints are specified.
Install Mechanism
There is no formal install spec (instruction-only), which is low-risk. The docs explicitly recommend falling back to 'npx --yes snipgrapher ...' if the binary is unavailable — this will fetch the package from npm at runtime. That behavior is expected for an npm CLI but carries the usual trust considerations of downloading packages from the registry.
Credentials
No required environment variables or credentials are declared. The README sensibly documents optional env vars (SNIPGRAPHER_PROFILE, THEME, etc.) that are proportional to the tool's purpose and are not sensitive credentials.
Persistence & Privilege
The skill is not always-enabled and does not request persistent system privileges or modify other skills or global agent settings. It is instruction-only and does not write persistent installers or tokens.
Assessment
This skill is an instruction handbook for the snipgrapher CLI and appears internally consistent. Before using it, verify the npm package name/version you intend to run (npx will download code from the npm registry), prefer installing a vetted binary or pinning a version in CI, review generated config files (snipgrapher.config.*) before committing, and avoid running unknown packages with elevated privileges. No credentials are requested by the skill itself.

Like a lobster shell, security has layers — review code before you run it.

latestvk9719mgajmzajebcrt0szfghfs81k5bw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments