flashformat
Security checks across malware telemetry and agentic risk
Overview
This skill coherently provides offline local format-conversion scripts; it has no evident credential use, network exfiltration, persistence, or deceptive behavior.
This appears safe to install for offline format conversion. Use a trusted Python environment, consider pinning PyYAML for reproducible installs, and only run the converters on files you intend to read or overwrite.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing live dependencies can expose the user to changes in the package or package index over time.
The skill relies on an external Python package that is installed manually and is not pinned to a specific version; this is expected for YAML conversion but is still a supply-chain consideration.
python -m pip install PyYAML
Install in a virtual environment and consider pinning PyYAML to a trusted version if using this in CI or sensitive repositories.
If pointed at the wrong file, the skill could read unintended local content or overwrite an existing output file.
The scripts can read from and write to file paths supplied on the command line. This is appropriate for local converters, but the paths are not restricted to a particular directory.
Path(input_file).read_text(encoding="utf-8") ... Path(output_file).write_text(content, encoding="utf-8")
Use explicit, intended input and output paths, avoid sensitive files, and keep backups when writing converted output.