ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Graph Interpretation

v0.1.0

Use when interpreting scientific graphs and charts, explaining data visualizations for research presentations, writing figure captions for publications, or a...

0· 80·0 current·0 all-time
byAIpoch@aipoch-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill claims advanced image-based graph interpretation (Kaplan‑Meier, ROC, AUC extraction, caption generation, batch CLI, etc.) but the repository contains only a small scripts/main.py implementing a trivial GraphInterpretation.describe() template. SKILL.md references scripts/graph_interpreter.py and many APIs (interpret(), analyze(), extract_statistics()) that do not exist in the codebase. This mismatch suggests the shipped artifacts do not implement the described purpose.
!
Instruction Scope
Runtime instructions (SKILL.md) instruct the agent to read local image files, run a CLI (python scripts/graph_interpreter.py), and process batches of figures. The referenced CLI/script file is absent. The SKILL.md header also lists allowed-tools: "Read Write Bash Edit", granting broad filesystem and shell access that goes beyond a simple text/template helper. The instructions are thus out-of-sync with available code and give the agent broad discretion to read/write and run shell commands.
Install Mechanism
There is no install spec (instruction-only), which is lower risk in itself. However, the documented features would normally require external libraries (image processing, ML, stats) and an install/dependency list — none are declared. The absence of an install step combined with heavy claimed capabilities is an implementation gap (not necessarily malicious) but is suspicious.
Credentials
The skill declares no required environment variables, no credentials, and no config paths. SKILL.md also does not reference any secrets or external endpoints. From a credentials standpoint, requested access is proportionate (none).
Persistence & Privilege
always: false and default model invocation settings are normal. However, the SKILL.md allowed-tools field grants Read/Write/Bash/Edit capabilities which give the agent broad filesystem and shell privileges when invoked — reasonable for local image processing but broader than strictly necessary for a caption-template helper. This should be reviewed before enabling.
What to consider before installing
Do not install or enable this skill yet. The documentation (SKILL.md) promises many image-analysis features, but the package only contains a small placeholder script and references a missing scripts/graph_interpreter.py and many non-existent APIs. That mismatch can cause the agent to attempt arbitrary shell/file operations or fail unexpectedly. Before proceeding, ask the author for: (1) the missing implementation files, (2) a dependency/install manifest (pip/conda) for image/ML libs, (3) tests or examples that actually run, and (4) a justification for the declared allowed-tools (Read/Write/Bash/Edit). If you must test, do so in a restricted sandbox, avoid exposing sensitive images or data, and restrict the skill's file/shell permissions until the implementation and dependencies are verified.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a19jb4j437wvf04k67amky583fyac

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments