Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
AI Logo Generator
v1.0.0Generate professional AI logos using ailogogenerator.online. Use this skill whenever the user wants to create a logo, brand icon, app icon, favicon, or any v...
⭐ 0· 45·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the behavior: the SKILL.md and included login.mjs implement an OAuth-style login, call ailogogenerator.online endpoints to generate and poll for images, and download results. Required artifacts (local auth file, polling) are appropriate for an async image-generation API.
Instruction Scope
Runtime instructions only reference the service domain and a local auth file (~/.config/ailogogenerator.online/auth.json). They instruct running the included login script, calling the stated generate/query endpoints, polling until completion, and saving the image to the current directory—all within the stated purpose. The skill does not instruct reading unrelated files or exfiltrating other system data.
Install Mechanism
No install spec is present (instruction-only skill with one included script). The only executable behavior is the provided login.mjs which uses Node built-ins; there are no external downloads or extract/install steps.
Credentials
The skill requests no environment variables or external credentials up front. It stores/reads a local token file in ~/.config/ailogogenerator.online/auth.json, which is proportional to needing an API token for the service. No unrelated secrets or config paths are requested.
Persistence & Privilege
always:false (no forced persistent inclusion). The skill writes its own auth file under the user's home config directory and listens on 127.0.0.1 during login—both expected for a CLI OAuth flow. It does not modify other skills or system-wide agent settings.
Assessment
This skill appears to do what it claims: it opens your browser for an OAuth-style login, runs a small local HTTP listener on 127.0.0.1:19876 to capture a token, saves that token to ~/.config/ailogogenerator.online/auth.json (file mode 600), calls https://ailogogenerator.online to generate and poll for images, and saves the downloaded PNG(s) to your current directory. Things to consider before installing: 1) trust the remote service/domain (ailogogenerator.online) — the saved token grants access to your account/credits, so only use if you trust that site; 2) the login flow places the token in the browser redirect URL (query string) which can be recorded in browser history—close the tab when done if this concerns you; 3) review the included login.mjs (it’s small and uses only Node built-ins) if you want to verify there’s no unexpected behavior; 4) when using any install command in the README (e.g., npx skills add ...), ensure the npm/GitHub source is trusted because npx can run remote code; 5) to logout or switch accounts, delete ~/.config/ailogogenerator.online/auth.json. If you need extra assurance, run the skill in a throwaway account or inspect network traffic during first use.login.mjs:48
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk970842sv2t4ad4521akj86acx84rthp
License
MIT-0
Free to use, modify, and redistribute. No attribution required.