ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pixel Asset Pipeline

v1.0.0

AI pixel art sprite generation + processing pipeline for Godot games. Generate sprite sheets with Seedream, auto-process into Godot-ready assets (hframes, tr...

0· 64·0 current·0 all-time
by@muxueqingze
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description (AI pixel-art -> Godot-ready assets) matches the behavior of the two included Python scripts, which perform background removal, frame-splitting, scaling, and sprite-sheet output. However, the batch generator is intended to call external generator backends (Seedream, wanx, Gemini) that are referenced in SKILL.md but are not present in the file manifest. The default generator path in batch_generate.py is an absolute Windows path (D:\the things of mine\...) pointing to a local 'lumi-work' script that is not included — this is inconsistent with the claimed out-of-the-box Seedream support.
!
Instruction Scope
The scripts operate only on local files and do not access environment variables or network themselves, which is appropriate. However, batch_generate.py uses subprocess.run to invoke an external generator script (by default an absolute path) and will execute whatever Python file the --generator argument points to. Because the referenced generator scripts are not bundled, the runtime behavior depends on external files the user must supply; running an unknown generator script could execute arbitrary code. The SKILL.md suggests running lumi-work/脚本/生图/seedream_generate.py but that file is absent.
Install Mechanism
No install spec is provided (instruction-only plus included scripts). The only declared runtime requirement is 'python' and the README instructs installing Pillow. Nothing is downloaded or extracted by the skill itself.
Credentials
The skill does not request any environment variables, credentials, or config paths. That is proportionate for a local image-processing pipeline.
Persistence & Privilege
always:false and no modifications to other skills or global agent settings. The scripts write output files to local directories only (game_assets/_raw, etc.), which is expected for this purpose.
What to consider before installing
This skill's image-processing code is consistent with its description and appears safe for local use, but it is incomplete: the generation backend scripts (seedream_generate.py, wanx_generate.py, etc.) are referenced but not included, and the default generator path is a hard-coded absolute Windows path to a user-local workspace. Before running batch generation: (1) inspect any generator script you point to (especially seedream_generate.py) so you know what it does and that it is trustworthy, (2) don't run the skill with an unreviewed --generator value, (3) adjust the DEFAULT_GENERATOR or pass --generator to a known-good script, and (4) run in a non-sensitive environment until you're confident with the generator's behavior. Installing Pillow locally (pip install Pillow) is required for processing. If you want an out-of-the-box generation workflow, ask the author for the missing backend scripts or include a documented, trusted backend.

Like a lobster shell, security has layers — review code before you run it.

latestvk971h9r4rg88nzgsts4hbt9ntd83vmpp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎮 Clawdis
Binspython

Comments