ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Cold Chain Risk Calculator

v1.0.0

Calculate temperature excursion risks for cold chain transport. Assesses route risk, packaging suitability, and monitoring requirements for biological sample...

0· 23·0 current·0 all-time
byAIpoch@aipoch-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name/description match the included code: both are about cold-chain risk scoring. The skill does not request unrelated credentials, binaries, or installs, which is proportionate to its stated purpose. However, the documentation describes features (JSON output file, mitigation recommendation generation, strict input validation) that the script does not implement.
!
Instruction Scope
SKILL.md instructs the agent to run scripts/main.py and describes a JSON output format, an --output option, mandatory duration validation (reject ≤0), always-present mitigation_recommendations, and specific risk thresholds/packaging factors. The actual script: (1) prints human-readable lines to stdout rather than producing the documented JSON structure or an output file; (2) does not implement the --output parameter; (3) does not enforce duration>0 (no explicit check); (4) uses a different packaging factor for liquid-nitrogen (0.3 in code vs 0.6 in docs) and different risk thresholds for classifications (code uses <10/<20, docs use <15/15–30/>30); and (5) does not generate a mitigation_recommendations list. These are substantive inconsistencies between instructions and implementation.
Install Mechanism
No install spec; this is an instruction-only skill with a small local script. No network downloads or package installs are specified, so installation risk is low.
Credentials
No environment variables, credentials, or config paths are requested. The skill does not ask for unrelated secrets or system access.
Persistence & Privilege
Skill does not request permanent/always-on presence and uses default invocation rules. It does not modify other skills or system-wide settings.
What to consider before installing
This skill appears to be incomplete or mismatched: the documentation promises structured JSON output, an --output option, strict input validation, specific packaging factors, and mitigation recommendations — but the bundled Python script only prints human-readable lines, lacks the --output option, doesn't enforce duration>0, uses a different liquid-nitrogen factor and different risk thresholds, and does not produce the promised JSON or mitigation list. Before using this for any decision that matters (regulatory filings, QA, or shipment planning): (1) do not rely on results for critical decisions; (2) ask the author for a corrected script that matches the SKILL.md (or update the SKILL.md to reflect actual behavior); (3) run the script locally with representative inputs to confirm outputs and test edge cases (zero/negative duration, each packaging type); (4) if you need JSON output or file-writing, either modify the script to implement --output and JSON formatting, or wrap the script safely to produce the documented structure; and (5) require unit tests or examples demonstrating mitigation recommendation generation. These inconsistencies look like sloppy/incomplete implementation rather than clearly malicious behavior, but verify before trusting the tool.

Like a lobster shell, security has layers — review code before you run it.

latestvk971jm4682gsqe5j5n308c7ays843na2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments