Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

jpocr

v1.0.0

Japanese OCR via NDLOCR-Lite (National Diet Library). Trigger on 'OCR this image', '日文OCR', 'recognize Japanese text', or any request to extract text from Ja...

⭐ 0· 565·0 current·1 all-time

byWayne@realwaynesun

MIT-0

Download zip

LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

medium confidence

Purpose & Capability

Name/description promise local OCR via NDLOCR-Lite, which is plausible, but the repository bundle lacks the referenced runtime (src/ocr.py) and virtualenv (.venv/bin/python). The skill therefore cannot perform its stated purpose as packaged; that mismatch is incoherent.

Instruction Scope

SKILL.md instructs running scripts/ocr-cli.sh which invokes a python program and writes output files. The README provides no installation steps, model files, or network/download behavior. The executor script redirects the OCR process's stdout/stderr to /dev/null, hiding errors or network activity—this opaque behavior is risky and the instructions are incomplete.

ℹ

Install Mechanism

There is no install spec (low risk), but the script expects a prebuilt .venv and model/code under src/ which are not included. Absence of an install mechanism or documentation for obtaining models/code is a packaging/maintainability concern (it may require fetching large model artifacts or code from elsewhere).

✓

Credentials

The skill requests no credentials and only optionally uses JPOCR_OUTPUT to set output directory. No secret or unrelated environment variables are required. However, the use of a hidden .venv path and optional env var should be documented.

✓

Persistence & Privilege

Flags are default (not always-on); the skill does not request persistent system-wide presence or modify other skill configs. It appears to run as a one-off command when invoked.

What to consider before installing

This package is incomplete and opaque. Before installing or running: (1) request or inspect the missing files (src/ocr.py, model assets, and any venv setup scripts) and any instructions for obtaining model weights; (2) verify where those models/code would be downloaded from (trusted GitHub release or official NDLOCR distribution) — avoid skills that fetch code from unknown servers; (3) note that the runner script silences stdout/stderr (>/dev/null 2>&1), which will hide errors and any network download messages—run it in a sandbox or with that redirection removed so you can see activity; (4) prefer a skill with a clear install spec or documented provenance for large model files. If the author cannot provide the missing files and a clear install provenance, treat this skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f7wcem09wxgj99azeag3b6d82089x

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

jpocr

License

Comments