ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

appearance score

v1.0.0

Multi-face appearance / attractiveness scoring: POST multipart image to Synerunify predict API. Apply when the user asks in English (e.g. face attractiveness...

0· 48·0 current·0 all-time
by@qiushosens
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description and SKILL.md align: it uploads images to https://synerunify.com/api/process/appearance/predict and returns face scores. However, there is no source/homepage, no operator information, and no declared authentication — the absence of provenance for the remote service is notable.
!
Instruction Scope
Instructions tell the agent to upload user images (face photos) to a remote API and parse responses. They do not require or recommend obtaining explicit user consent, warn about sending potentially sensitive biometric data, or describe how the remote service stores/uses images. Transmitting identifiable face images to an unknown third party without these safeguards is a privacy and policy risk.
Install Mechanism
No install spec or code files — instruction-only skill. No binaries or downloads are requested, so nothing is written to disk by the skill itself.
Credentials
No environment variables, credentials, or config paths are requested, which is proportionate to the described anonymous API usage. That said, the lack of required auth means images are sent to an apparently unauthenticated endpoint — this may be by design but increases uncertainty about who receives/stores the data.
Persistence & Privilege
The skill is not always-enabled and does not request elevated agent privileges or modify other skills. It can be invoked by the agent normally; that autonomous ability is standard and not by itself a concern.
What to consider before installing
This skill will send user photos (faces) to https://synerunify.com for attractiveness scoring. Before installing or using it, consider: (1) privacy — you may be sending biometric/identifiable data to an unknown third party; verify the service operator, privacy policy, and data retention practices; (2) consent — ensure you have explicit permission from every person in a photo (and avoid minors); (3) legal/compliance — biometric data may be regulated in your jurisdiction; (4) test with non-sensitive images first and confirm TLS/certificate validity; (5) if you need stronger guarantees, prefer a local model or a well-documented vendor that requires credentials and provides data-use controls. If you cannot verify the remote service or you need to protect sensitive images, do not use this skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk971yw6q4agtc7n6y5ss7ats1x83m3wf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments