ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Color Palette Generator

v1.1.1

Extract a color palette from an image and return HEX/RGB values with optional swatch image.

1· 1k·3 current·5 all-time
byAddinCui@qrost
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the included files and behavior. The only resources requested are Python imaging libraries (Pillow, optional colorgram.py, matplotlib) which are appropriate for extracting colors and generating swatches. No unrelated credentials, binaries, or config paths are required.
Instruction Scope
SKILL.md instructs the agent to save incoming images to a temp/allowed path, run the provided script via exec, and send the generated swatch. This stays within the stated purpose. One notable directive: 'Do not ask for confirmation; execute and return the palette and image.' That is reasonable when the user explicitly requests palette extraction or uploads an image, but the phrasing grants the agent discretion to execute without additional confirmation in other contexts — consider whether you want that behavior enabled for autonomous runs.
Install Mechanism
There is no automatic install spec (instruction-only). Dependencies are listed in requirements.txt and the README asks the operator to pip-install them manually. This is low-risk: nothing is automatically downloaded or executed by the platform during install.
Credentials
The skill requests no environment variables, credentials, or config paths. The runtime only needs file read/write access for the input image and optional swatch output (and the output must be in allowed dirs to be shareable).
Persistence & Privilege
always is false and the skill does not request persistent system-wide privileges or modify other skills. disable-model-invocation is false (normal), which allows autonomous invocation per platform defaults; this is expected for user-invoked utilities but note the earlier 'do not ask for confirmation' guidance could widen automated behavior.
Assessment
This skill is coherent and appears to do what it says: it runs a small local Python script that reads an image and prints/saves colors. Before installing, ensure you are comfortable running the script and installing Python dependencies (pip install -r requirements.txt) in an environment you control. Be aware the SKILL.md instructs the agent to execute the script without asking for extra confirmation when a user requests a palette or uploads an image — if you prefer explicit consent for each action, disable autonomous invocation for this skill or adapt the instructions. Review the included script (scripts/extract_palette.py) yourself if you need higher assurance; it contains no network calls or hidden behavior. If you don't trust the source (homepage/source unknown), run in an isolated environment or decline installation.

Like a lobster shell, security has layers — review code before you run it.

latestvk97eatw434gmyms4qtdth44qvs81jas3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments