ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OpenClaw Model Card

v0.1.0

Generate OpenClaw model inventory and model-card images from openclaw.json. Use when asked to list all configured models, verify default/fallback chains, or...

0· 330·0 current·0 all-time
by@sdsdsdff
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (generate model inventory and model-card images from openclaw.json) aligns with the included Python script and Node helper: the Python script reads openclaw.json, performs consistency checks and outputs Markdown/CLI text, and the Node script renders Markdown to an image. Nothing in the code attempts unrelated actions (no network calls, no credential usage).
Instruction Scope
SKILL.md instructs the agent to run the Python script with --config, which is correct and recommended. The Python script also falls back to an OPENCLAW_CONFIG environment variable and a set of default file paths (including /opt/openclaw-data/conf/openclaw.json and ~/.openclaw/openclaw.json) if --config is not provided. This fallback behavior is reasonable for convenience but is not documented in SKILL.md; it means the tool can read system or user config files if run without an explicit path.
Install Mechanism
There is no install spec (lowest risk) and all code is included. However the skill requires runtimes/binaries that are not declared in the top-level metadata: the Python script requires python3 (present on most systems), the Node-based md2img.js requires node, and md2img.js depends on the external binary wkhtmltoimage. SKILL.md does note the wkhtmltoimage dependency but the registry metadata listed 'required binaries: none', which is inconsistent. There are no downloads or remote install URLs in the skill.
Credentials
The skill does not request credentials and doesn't exfiltrate data. It does read an environment variable OPENCLAW_CONFIG (used as an alternative config path) even though the skill's declared required env vars list is empty; that discrepancy is minor but worth noting. Otherwise no access to secrets or unrelated system credentials is present.
Persistence & Privilege
The skill does not request persistent privileges, does not set always:true, and does not modify other skills or system-wide agent settings. It only reads files and writes output files when asked to render an image.
Assessment
This skill appears to implement exactly what it claims: reading an openclaw.json, performing consistency checks, listing models, and optionally rendering a visual card. Before installing/use: 1) Run it with an explicit --config path to avoid unintentionally reading system/user config files (the script will fallback to OPENCLAW_CONFIG or default paths if --config is omitted). 2) Ensure your environment has python3 and node installed, and install wkhtmltoimage if you want image rendering (md2img.js checks for it). 3) Because the registry metadata lists no required binaries or env vars but the code uses OPENCLAW_CONFIG and external binaries, prefer using explicit paths and avoid exposing sensitive files. 4) If you need higher assurance, review the two included scripts locally (they are short and readable) and run them in a sandboxed environment first. Overall this is internally coherent and not requesting secrets or network access.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b04qh52tbqea4kqpy0rznv9828frn
330downloads
0stars
1versions
Updated 8h ago
v0.1.0
MIT-0
@sdsdsdff
latest
Download

OpenClaw Model Card

Use this skill to output OpenClaw model configuration in a consistent way.

Core workflow

  1. Run text output: 
    python3 skills/openclaw-model-card/scripts/show-model-config.py --config /path/to/openclaw.json
  2. If user wants a screenshot/image card, render image: 
    python3 skills/openclaw-model-card/scripts/show-model-config.py --config /path/to/openclaw.json --image ./model-card.png
  3. If running in chat surfaces where terminal output is invisible to the user, send the script output via messaging tool instead of paraphrasing.

Rules

  • Do not handcraft model lists when this skill is requested; always use the script output.
  • Prefer --config explicitly for reproducibility.
  • Keep sensitive config files out of git; only publish generated, sanitized artifacts.

Notes

  • md2img.js depends on wkhtmltoimage.
  • The script includes consistency checks (missing model refs, alias conflicts, suspicious contextWindow).

Comments

Loading comments...