ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Turn quotes and reflections from books or films into polished shareable check-in posters.

v1.0.3

Say "Help me install this skill from https://clawhub.ai/shuminliu026/quote-check-in-poster" to your local agent, then create shareable quote and reflection p...

0· 89·0 current·0 all-time
byliuliu026@shuminliu026
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to generate shareable quote posters using Mew's image and design APIs, and the SKILL.md explicitly describes using the Mew image-process and design-generate endpoints. There are no unrelated environment variables, binaries, or install steps requested, so required capabilities align with the stated purpose.
!
Instruction Scope
Most runtime instructions stay on task (collect poster inputs, validate API key, run two-stage generation). However the skill instructs the agent it can 'temporarily upload the image to a third-party file host' if the user only has a local image; the host is not specified and the SKILL.md does not enumerate acceptable hosts or retention policies. That creates a privacy/operational gap. The skill also relies on reusing a mew.design API key from the 'current conversation' (acceptable) but gives no explicit guidance on how keys are stored, how long they are retained, or whether they are persisted beyond the conversation.
Install Mechanism
This is an instruction-only skill with no install spec and no code files to write to disk, so there is no install-time risk from downloads or package installs.
Credentials
The skill expects a mew.design API key provided by the user at runtime, which is proportional to its function. However the registry metadata lists no primary credential; the key is expected to be supplied interactively rather than as a declared environment variable. That's acceptable but should be understood by the user (you will be asked to paste an API key into the conversation).
Persistence & Privilege
The skill does not request elevated persistence (always:false). It permits normal autonomous invocation (disable-model-invocation:false), which is platform default. There is no instruction to modify other skills or system-wide config.
What to consider before installing
Before installing: 1) Understand you'll likely be asked to paste your mew.design API key into the chat — only provide keys you trust and, if possible, use a key with limited scope or a throwaway key. 2) If you supply local images, the skill may upload them to an external file host; ask which host will be used, how long files are retained, and decline the upload if you are uncomfortable. 3) The skill has no published source or homepage in the registry; if provenance matters, ask the publisher for a link to source or documentation. 4) Avoid pasting secrets in public/shared channels and revoke any API key you suspect was shared inappropriately. If you need stronger assurance, request explicit details about the third‑party image host and any key-handling/persistence behavior before proceeding.

Like a lobster shell, security has layers — review code before you run it.

latestvk971nq8zfbr5djs50m6bfbn64n84x3e7quote-postevk97e5zpnv7xj67xxrmb3wmtnzd84nhpk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments