ClawHub

Word Jumble

v1.2.3

Generate a Word Jumble puzzle — scrambled words with circled letters that spell out a final idiom, plus a cartoon illustration hint and a printable puzzle im...

1· 70·0 current·0 all-time
byMarv@robin-marv
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Word Jumble generator + printable output + cartoon hint) align with the included assets and scripts: a template HTML, a validator, and a renderer that prepares a local HTTP page for screenshotting. No unrelated credentials, binaries, or installs are requested.
Instruction Scope
Instructions stay within the declared purpose: generate puzzle JSON, validate with scripts/validate_puzzle.py, produce an image via the platform image_generate tool, and render via a local HTTP server for screenshot. Two caveats: (1) the HTML template embeds the final solution into the DOM in plaintext (upside-down/small), which the SKILL.md calls out — this means the answer is present in the served page and could be read programmatically even if visually obfuscated; (2) image generation uses the platform image_generate tool which sends prompts to an external image generation API (and thus prompt content is exposed to that provider). Both behaviors are intentional per the skill, but the user should be aware.
Install Mechanism
No install spec is provided (instruction-only with included scripts/assets). This is low risk: nothing is downloaded or written to system locations beyond the workspace/temp files the scripts create.
Credentials
The skill declares no required environment variables, no credentials, and no config paths. The only external interaction is the platform-managed image provider (handled by the platform, not requested by the skill). This is proportionate for an image-using puzzle generator.
Persistence & Privilege
always is false and the skill does not request persistent or elevated platform privileges, nor does it modify other skills or system-wide configs. The renderer uses a short-lived local HTTP server bound to 127.0.0.1 and temporary directories, which are cleaned up.
Assessment
This skill appears to do exactly what it says: generate, validate, and render Word Jumble puzzles. Before installing/using, consider the following: (1) The final answer is intentionally embedded in the HTML DOM as plaintext (visually rotated/small) — anyone or any tool that can access the served page (or the generated HTML file) can read the answer. If you want the answer to be secret, modify the template to remove or encode the answer server-side. (2) Image generation sends prompts to whatever external image provider the platform is configured with; do not put sensitive information into image prompts. (3) The included comment in the HTML claims the answer is ROT13-encoded, but the implementation writes the plaintext solution — this is an informational mismatch (not a security exploit). (4) The renderer starts a local HTTP server bound to 127.0.0.1 and writes temporary files; confirm you trust the agent runtime to handle these files. If you need the skill to be more private, request removal of the answer from the DOM and/or local-only rendering without writing persistent outputs.

Like a lobster shell, security has layers — review code before you run it.

latestvk977v7gavqep57738t204d8sys844jm7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments