ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Cardnews

v1.0.0

Generate Instagram-ready card news (카드뉴스) image sets. Use when creating a series of 5 slide images from a topic — includes content planning, image generation...

0· 613·2 current·2 all-time
by@mupengi-bot
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the content: planning slides, generating images via another image-gen skill (nano-banana-pro), converting PNG→JPG, caption writing, and upload prep. Required binaries/env/config are empty and consistent with an instruction-only skill that delegates image creation to another skill.
Instruction Scope
SKILL.md stays on-task (plan slides, call nano-banana-pro to generate PNGs, convert to JPG, write caption, use browser upload). It references running a script from the nano-banana-pro skill and a browser-based TOOLS.md workflow — these are reasonable but require the nano-banana-pro skill and the TOOLS.md upload doc to be present and trusted. The instructions don't ask for unrelated files, credentials, or system-wide config.
Install Mechanism
No install spec (instruction-only) which is low-risk. The included convert_jpg.py will attempt to pip-install Pillow at runtime if it's missing (via subprocess.check_call). That behavior performs a network package install when first run — not inherently malicious but worth noting because it writes packages to the environment at runtime.
Credentials
Skill declares no environment variables, no credentials, and no config paths. SKILL.md does not reference environment variables or secrets. The lack of external credential requests is proportionate to the stated purpose, though the skill delegates image generation to another skill which may have its own credential needs.
Persistence & Privilege
always is false and the skill does not request permanent presence or modify other skills. It contains a small utility script but does not change system or agent-wide settings.
Assessment
This skill appears coherent and small. Things to consider before installing: (1) It relies on another skill (nano-banana-pro) — verify that skill's source and permissions because image generation is delegated to it. (2) The included convert_jpg.py will pip-install Pillow at runtime if missing, which downloads packages from PyPI — if you require an offline or locked environment, pre-install Pillow or inspect and sandbox the execution. (3) The SKILL.md references a TOOLS.md browser upload flow not included here — confirm how uploads are handled in your environment. If you plan to run this in a shared or sensitive environment, run the converter in a sandbox or review/approve the nano-banana-pro skill first.

Like a lobster shell, security has layers — review code before you run it.

latestvk972qkstk9y649gy3rh5s6kayn817m53

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments