ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Dei Statement Drafter

v0.1.2

Draft Diversity, Equity, and Inclusion statements for academic applications

0· 107·0 current·0 all-time
byAIpoch@aipoch-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name/description match the actual code: a simple local Python script that generates DEI statement text from built-in templates and optionally reads an experiences file and writes output. No unexplained dependencies, credentials, or network access are requested.
!
Instruction Scope
SKILL.md and usage describe reading an experiences file and writing output (which the code does). However the documentation's security checklist claims path validation (no ../ traversal), prompt-injection protections, and sanitized error messaging — none of these protections are implemented in scripts/main.py. The script opens a user-supplied file path with no validation and writes to the given output path without checks, which could allow accidental exposure or overwriting of files if misused.
Install Mechanism
No install spec and no external packages required; the skill is instruction-only plus a small Python script, so nothing is downloaded or installed during skill use.
Credentials
No environment variables, credentials, or config paths are requested. The only sensitive operation is reading a user-supplied file path and writing an output file — operations consistent with the stated purpose.
Persistence & Privilege
Skill does not request persistent presence (always: false), does not modify other skills or system configuration, and does not store credentials or enable autonomous escalation.
What to consider before installing
This skill is coherent with its stated purpose and contains only a small Python script, but the README's security checklist promises protections (input path validation, sanitized errors, sandboxing) that the code does not implement. Before running: (1) inspect the script yourself (you already have it) and confirm it meets your safety requirements; (2) do not point --experiences at sensitive system files (e.g., ~/.ssh, /etc/passwd) because the script will read whatever path you provide; (3) avoid running with an output path that could overwrite important files; (4) run it in a sandbox/container or with limited filesystem permissions if you want extra safety; and (5) if you plan to use this in an automated agent, consider adding explicit path validation and error handling to the code to enforce the checklist items the SKILL.md lists.

Like a lobster shell, security has layers — review code before you run it.

latestvk97emvebgnnsm48nzqdbyxk7bn8322rk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments