ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Signus Font Signature

v1.0.1

Generate font-based signature images via Signus API and return image files for chat delivery. Use when asked for font signatures (not AI websocket handwritte...

0· 140·0 current·0 all-time
by@signus-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the included script and SKILL.md. Required actions (HTTP POST to signus endpoints, unzip, save images) align with the stated purpose. No unrelated binaries, env vars, or config paths are requested.
Instruction Scope
The SKILL.md correctly instructs running the included Node.js script with a JSON payload. The script creates an output directory under the user's home (~/.openclaw/media/signatures-font/), posts to fixed signus endpoints, extracts ZIPs, and writes image files. These behaviors are expected for this task, but the skill does perform network access and write files to the user's home directory (media storage) — both are within scope but worth noting.
Install Mechanism
This is an instruction-only skill with a package.json and one dependency (adm-zip). SKILL.md requires running npm install in the skill folder; adm-zip is fetched from the public npm registry (traceable). No arbitrary downloads or extract-from-unknown-URL steps are present.
Credentials
The skill declares no required environment variables or credentials and the code does not read env vars. It uses public signus endpoints; a fallback endpoint (/users/me/...) may rely on implicit session/auth in some deployments, which the SKILL.md explicitly notes.
Persistence & Privilege
always is false and the skill does not modify other skills or system-wide settings. It writes only into its own media folder under ~/.openclaw/media/signatures-font/. It does not request permanent elevated privileges.
Assessment
This skill appears coherent and implements exactly what it says: it POSTs to https://api.signus.ai, downloads and/or extracts image files, and stores them under ~/.openclaw/media/signatures-font/. Before installing: 1) confirm you trust api.signus.ai and are comfortable with the skill writing files to your home media folder; 2) be prepared to run npm install in the skill folder (it will fetch adm-zip from the npm registry); 3) note the fallback endpoint (/users/me/...) may require an existing session — do not embed secrets in payloads; 4) review the included script yourself if you need higher assurance (it is short and readable).

Like a lobster shell, security has layers — review code before you run it.

latestvk97b5qfew5fk1fhs7rmrmn1ag9832fk5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments