ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

妙达图片理解

v1.0.0

Use when user needs to understand, analyze, or describe image content. Do NOT use Read tool to read images — use this skill instead. Supports local file path...

0· 181·4 current·5 all-time
by@nice1234-h
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill states its purpose is image understanding and the SKILL.md shows only that behavior, but it instructs use of the external binary 'miaoda-studio-cli' while the skill metadata declares no required binaries or install steps. That mismatch (instructions depending on a CLI that isn't declared or installed) is incoherent and could hide implicit dependencies.
Instruction Scope
Instructions limit actions to processing a local image path and optional prompts (describe, extract text, etc.) and do not ask the agent to read unrelated files or env vars. However, the CLI call could perform network I/O (uploading images) or access other system resources — the SKILL.md does not state what miaoda-studio-cli does with the image data.
!
Install Mechanism
There is no install spec and no code files — this is instruction-only. That is low-risk in general, but here it's problematic because the instructions rely on an external tool that the package does not declare or provide; the skill should either declare the required binary or include an install step.
Credentials
The skill requests no environment variables, credentials, or config paths, which is appropriate for a simple image-analysis instruction-only skill.
Persistence & Privilege
The skill does not request persistent/always-on presence and has default invocation settings; it does not attempt to modify other skills or system-wide settings.
What to consider before installing
This skill's instructions call an external CLI ('miaoda-studio-cli') but the skill package doesn't declare or install that binary and provides no homepage or source. Before installing or using it, verify where 'miaoda-studio-cli' comes from and whether you already trust it: check the binary's origin, source code or vendor, and its network behavior (does it upload images?). If you care about privacy, test with non-sensitive images first or run the CLI offline in a controlled environment. Prefer skills that declare required binaries or include an install spec and provide a homepage/source for auditing.

Like a lobster shell, security has layers — review code before you run it.

latestvk971vgz6htdpqbj5d2t8k5sw5h83tsp5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments