ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Anki Card Creator

v0.1.0

Convert medical textbook content, lecture notes, and study materials into Anki flashcards using spaced repetition optimization. Supports multiple card types...

0· 112·0 current·0 all-time
byAIpoch@aipoch-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill advertises PDF/text extraction, cloze-generation, image occlusion, media download/embedding, batch processing, and integrations. The shipped code (scripts/main.py) only performs simple Q/A parsing, creates a few hard-coded card types, and writes a TSV. There are no PDF or image-handling routines, no network/media download, no Anki .apkg export, and the SKILL.md examples import from scripts.card_creator while the repo contains scripts/main.py — capability claims are disproportionate to the actual code.
!
Instruction Scope
SKILL.md instructs use of tools and workflows (PDF chapter conversion, image occlusion, auto-tagging, integration with other skills) that require reading files, downloading media, and invoking other components. The included script only reads local text files and writes a TSV; it cannot perform the described PDF extraction, image occlusion, or external integrations. The instructions give broad discretion (allowed-tools includes Bash and Read/Write) but the implementation does not constrain or implement those behaviors, creating a gap between 'what to do' and 'what actually runs'.
Install Mechanism
No install spec is provided and the package is effectively instruction + a small Python script. Nothing is downloaded or installed automatically and there are no external install URLs, so installation risk is low.
Credentials
The skill declares no required environment variables or credentials and the code does not read environment variables or request secrets. Credential requests are proportionate (none) to the stated functionality.
Persistence & Privilege
The skill is not forced-always, and it does not request elevated platform persistence. Default autonomy (model invocation allowed) is normal and not combined with other red flags here.
What to consider before installing
This skill's documentation promises many advanced features but the bundled code only supports simple local Q/A parsing and TSV export. Before installing or using it for real study materials: (1) ask the author for the missing implementation (PDF/text extractors, image occlusion, media download, APKG export) or for an explanation of why SKILL.md exceeds the code; (2) verify any code that would download or access external URLs — none is present now, but confirm before accepting network access; (3) do not feed sensitive or copyrighted medical PDFs into this skill until you confirm where data may be sent or stored; (4) if you plan to use it, test in an isolated environment and review/modify scripts/main.py to match the intended workflow (or replace with verified tools); (5) request corrected examples (the SKILL.md imports scripts.card_creator but the file is scripts/main.py). These mismatches suggest the skill is incomplete or misdocumented rather than actively malicious, but you should treat it as untrusted until the gaps are resolved.

Like a lobster shell, security has layers — review code before you run it.

latestvk97frddvqaz3ykq9wmdzetx945834w02

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments