ClawHub

Anime Meme Collector

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its meme-collection purpose, but it persists web-fetched content for future agent use while disabling HTTPS certificate verification.

Review or modify the script before enabling it, especially the disabled TLS verification. If you use the skill, treat the generated meme database as untrusted public web content and avoid enabling daily cron updates until you are comfortable with the external requests and ongoing local file updates.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI06: Memory and Context Poisoning
Medium
What this means

A network attacker or tampered response could insert misleading or prompt-like text into the meme database, and the agent may reuse it in later answers.

Why it was flagged

The updater disables HTTPS certificate validation while saving fetched web data into the persistent meme database that the skill later tells the agent to use as context.

Skill content
context.check_hostname = False
context.verify_mode = ssl.CERT_NONE
...
def save_memes(filepath, memes_data):
    ...
    json.dump(memes_data, f, ensure_ascii=False, indent=2)
Recommendation

Keep HTTPS verification enabled, validate or review fetched entries before storing them, and instruct the agent to treat database entries as untrusted content rather than commands.

#
ASI10: Rogue Agents
Low
What this means

If enabled, the collector will make daily web requests and update the local meme database automatically.

Why it was flagged

The skill documents optional daily background execution. It is disclosed and purpose-aligned, but it will keep running until the user removes the cron job.

Skill content
Set up cron job for midnight ... 0 0 * * * cd /path/to/skill && python scripts/collect_memes.py ... Or use OpenClaw cron
Recommendation

Only enable the cron job if you want ongoing updates, and keep a clear way to disable or remove the scheduled job.

#
ASI02: Tool Misuse and Exploitation
Info
What this means

Running the script contacts external websites and stores selected trend data locally.

Why it was flagged

The script makes outbound requests to public Bilibili and Zhihu endpoints, which is expected for a trend-collection skill.

Skill content
url = "https://api.bilibili.com/x/web-interface/ranking/v2?rid=0&type=all" ... url = "https://www.zhihu.com/api/v3/feed/topstory/hot-lists/total?limit=50"
Recommendation

Use it only if you are comfortable with those external web requests, and consider reviewing the generated database periodically.

#
ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means

The skill may fail or behave differently depending on the local Python environment.

Why it was flagged

The metadata does not declare the Python runtime used by the documented command `python scripts/collect_memes.py`; this is a metadata completeness issue rather than hidden behavior.

Skill content
Required binaries (all must exist): none ... Install specifications: No install spec — this is an instruction-only skill
Recommendation

Check the Python script before running it and use a known, controlled Python environment.