Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Paint Skill
v1.0.0Generate and save simple drawings as PNG images using Python with interactive and demo modes via Pillow and Tkinter.
⭐ 0· 54·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose (generate and save drawings with Pillow/Tkinter) matches the core behavior: the Python file programmatically draws and saves an image. However, SKILL.md promises interactive Tkinter drawing, demo and CLI modes, and multiple image options; the included script only implements a single draw_park_scene() function and immediately saves one image. The documentation overstates capabilities compared with the code.
Instruction Scope
SKILL.md instructs users to install conda/mamba, create an environment with tkinter support, and run the script with CLI options (--demo, --park, --custom). The shipped script contains no argparse/CLI handling, no Tkinter usage, and only a single callable that draws a park scene. The instructions therefore give the agent/state broad latitude (expecting interactive and multiple modes) that the code does not actually implement.
Install Mechanism
There is no install spec; this is primarily an instruction-and-script bundle. That is low risk from an install mechanism perspective. SKILL.md suggests using conda/mamba and pip to install Pillow, which is reasonable for the stated runtime, though the instructions are optional and not enforced by an install step.
Credentials
The skill requests no environment variables or credentials, which is proportional. However, the script writes output to a hardcoded absolute path (/Users/m1/.openclaw/workspace/openclaw_drawing.png). This is user-specific and unexpected (not declared in SKILL.md). It may fail on other systems and could overwrite a file at that location if present; the hardcoded path is an incoherent implementation detail versus the documented usage.
Persistence & Privilege
The skill does not request elevated privileges, does not set always:true, and does not modify other skills or system settings. It does persist a file to disk at a hardcoded path in a user's home directory, which is limited scope but notable because it is an undeclared, hardcoded side effect.
What to consider before installing
This skill's single Python file will draw and save a park image, but its documentation claims interactive GUI and CLI modes that are not present. Before installing or running it: 1) Inspect or run the script in a sandbox or throwaway environment (not as root). 2) Change the hardcoded output path to a safe, configurable location (or modify the script to accept an output filepath argument). 3) If you need interactive/demo features, implement or obtain a script that actually uses Tkinter and parses CLI options. 4) Use a dedicated Python virtual environment and confirm Pillow is the only external dependency. 5) If you plan to let an agent invoke this autonomously, be aware it will write files to disk — ensure the output path is safe and expected. If you need, ask the author for a corrected SKILL.md or a version of the script that matches the documented features.Like a lobster shell, security has layers — review code before you run it.
latestvk97cjvq2wb6bd5kkq38gef5qcx84bvf6
License
MIT-0
Free to use, modify, and redistribute. No attribution required.