ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

clawsay

v1.0.0

Display a message in a speech bubble spoken by an ASCII lobster.

0· 514·1 current·1 all-time
byTjaden Hess@tjade273
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code and description align: the script prints a lobster ASCII-art with a speech bubble. However, the package metadata (scripts/pyproject.toml) declares a Python package dependency (termcolor3) and a Python version (>=3.12), while SKILL metadata lists no required binaries or environment — so the skill implicitly needs a Python runtime and a dependency that are not declared in the skill requirements.
Instruction Scope
SKILL.md instructs the agent to cd into scripts and run the script using 'uv' (examples: 'uv run clawsay.py' and 'uv run python scripts/clawsay.py'). The script itself only prints to stdout and does not access files, network, or env vars. The only scope issue is the vague/unexplained use of 'uv' and inconsistent example commands; otherwise the runtime behavior stays within the stated purpose.
Install Mechanism
There is no install spec (instruction-only), yet a pyproject.toml with a dependency (termcolor3) is included. Without an install step, the agent or environment may lack the required Python version or package. This is an omission/oversight rather than an actively malicious install mechanism.
Credentials
No environment variables, credentials, or config paths are requested or accessed by the code. The script only reads command-line arguments and prints colored output.
Persistence & Privilege
The skill does not request persistent or elevated privileges; 'always' is false and there is no behavior that modifies other skills or agent-wide configuration.
What to consider before installing
This appears to be a simple, benign utility that prints an ASCII lobster with a speech bubble. Before installing or running: 1) confirm your environment has Python (the pyproject requires >=3.12) and install the dependency termcolor3 (or termcolor compatible) or adjust the script to use an available color library; 2) clarify what 'uv' refers to in the instructions — it's not a standard Python runner on every system and the example commands are inconsistent; 3) because the source/origin is unknown, run it in a restricted/sandboxed environment if you want to test it; 4) if you need this skill to be robust for multiple environments, add an explicit install step (pip install -r or poetry) or document required binaries so the platform can enforce them. The code itself does not perform network, file, or credential access.

Like a lobster shell, security has layers — review code before you run it.

latestvk97266c4z1z3222q8yq12rbzms81f8e5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments