Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Heatmap Beautifier
v0.1.0Professional beautification tool for gene expression heatmaps, automatically adds clustering trees, color annotation tracks, and intelligently optimizes labe...
⭐ 0· 53·0 current·0 all-time
byAIpoch@aipoch-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name, description, SKILL.md, requirements.txt and scripts/main.py consistently implement a gene-expression heatmap beautifier using seaborn/matplotlib/pandas/numpy. Declared features (clustering, annotation tracks, demo mode, output JSON) align with the code and documented CLI.
Instruction Scope
SKILL.md instructs running the included script and to only operate on CSV expression matrices; it does not ask for unrelated system files or credentials. However the code's load_data() uses a bare 'except:' to try alternate CSV separators (which can mask errors) while the POLISH_CHANGELOG/SKILL.md claim that bare excepts were replaced with specific exceptions—this is a direct doc/code mismatch. Also the usage examples import from 'skills.heatmap_beautifier.scripts.main', which assumes the skill is installed as a package; if it isn't, the import path may fail and the runtime advice is slightly inconsistent with a simple script layout.
Install Mechanism
No install spec; requirements.txt lists common scientific Python packages (matplotlib, numpy, pandas, seaborn). No downloads from external URLs or archive extraction are present in the package metadata. This is low-risk compared to arbitrary installer scripts.
Credentials
The skill requests no environment variables, no credentials, and no config paths. The dependencies and parameters are proportionate to a visualization tool.
Persistence & Privilege
always:false, no platform-wide changes or claims to modify other skills. The skill is user-invocable and can be invoked autonomously (platform default); that is expected for skills and does not by itself raise a red flag here.
Scan Findings in Context
[BARE_EXCEPT_IN_LOAD_DATA] unexpected: scripts/main.py's load_data() uses a bare 'except:' to fall back to alternate separators. The SKILL.md and POLISH_CHANGELOG claim that bare except has been replaced with specific exception types; the presence of the bare except is an inconsistency and can mask parsing or other runtime errors.
[IMPORT_PATH_ASSUMPTION] expected: SKILL.md shows usage 'from skills.heatmap_beautifier.scripts.main import HeatmapBeautifier'. This is reasonable if the skill is packaged, but the repository layout (scripts/main.py) suggests it may be run as a script. The import path assumption is not harmful but may cause confusion when following the docs.
What to consider before installing
This skill appears to be a real heatmap beautifier and does not request credentials or external downloads, but there are two issues you should check before installing or running it: (1) the code contains a bare 'except:' in load_data() that can hide parsing or other errors—ask the maintainer to replace it with targeted exception types (e.g., pd.errors.ParserError, UnicodeDecodeError) or review the code yourself; (2) the SKILL.md usage examples assume an installed package import path which may not work if you only have the script file—verify how the skill will be deployed. To be safer, run the quick checks locally in an isolated environment: python -m py_compile scripts/main.py and python scripts/main.py --demo --output demo_heatmap.pdf, and inspect the script for any further unexpected behavior. If you plan to let the agent invoke this skill autonomously, prefer running it in a restricted environment (container or sandbox) until you confirm the code matches the documentation and exception handling is fixed.Like a lobster shell, security has layers — review code before you run it.
latestvk97b0steqp9fewjg2m69bvhem583eksk
License
MIT-0
Free to use, modify, and redistribute. No attribution required.