ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

图片向量嵌入技能

v1.0.0

图片向量嵌入技能,支持将病害图片转换为特征向量,用于后续的图片检索和相似度匹配。适用于病害知识库的图片特征提取、向量入库等场景。

0· 90·0 current·0 all-time
byVenwell Chiang@kumamon2019s
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
SKILL.md and description claim a pre-trained disease-specific embedding model, 1024-d normalized outputs, support for common image formats, batching limits, and ML dependencies (torch, torchvision, transformers, pillow). The included code (scripts/embedding.py) contains only a simple class that returns random numpy vectors and does not use any of the declared ML libraries or implement format handling, normalization, or batch-size enforcement. The requested dependencies and promised capabilities are disproportionate to the actual implementation.
!
Instruction Scope
Runtime instructions tell the user/agent to install heavy ML packages via pip, and show usage examples that imply a real model. The SKILL.md instructs operations that the code does not implement (pretrained model extraction, normalization, file format handling, max-batch enforcement). There are no instructions to access unrelated files or credentials, but the guidance is misleading about runtime behavior.
Install Mechanism
There is no formal install spec (skill is instruction-only), but SKILL.md recommends pip installing torch, torchvision, transformers, pillow. Because those installs are not reflected in code and may be unnecessary, this is an inconsistency (not a direct supply-chain risk here, but installing large ML packages without need is avoidable risk).
Credentials
The skill requests no environment variables, credentials, or config paths. There is no sign of unnecessary credential access or exfiltration in code or instructions.
Persistence & Privilege
Skill flags are default (always: false, user-invocable: true, model invocation allowed). The skill does not request elevated persistence or modify other skills; no concern here.
What to consider before installing
This skill's documentation promises a real pretrained image embedding model and lists heavy ML dependencies, but the included code is a placeholder that returns random vectors. Before installing or using it: (1) don't assume outputs are meaningful — test with known inputs to verify vectors (e.g., check reproducibility, normalization, similarity behavior); (2) avoid blindly running 'pip install' of large ML libraries unless you actually need them — the shipped code only needs numpy; (3) ask the author for the real model implementation or for SKILL.md to be corrected (provide model weights, license, inference code, and how normalization/batch limits are enforced); (4) if you need production embeddings, prefer a skill with explicit, auditable model code or a link to a trusted model/release. If the author supplies a true model implementation that matches the docs, re-evaluate; otherwise treat this as untrusted/testing-only code.

Like a lobster shell, security has layers — review code before you run it.

latestvk978erfwyft1m0t4a4n7jt3pfs83zwrd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments