ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

image-ocr

v0.1.0

Extract text content from images using Tesseract OCR via Python

0· 2·0 current·0 all-time
by@wu-uk
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to perform Tesseract OCR via Python (pytesseract). That requires the Tesseract engine binary to be installed on the host and appropriate language/data packs for non-English OCR, but the registry metadata lists no required binaries or install steps. This mismatch (instruction needs a system binary but metadata says none) is an incoherence.
Instruction Scope
The SKILL.md stays within the OCR scope: it shows example code reading image files, calling pytesseract, and returning JSON. It does not request unrelated files, credentials, or external endpoints. Minor omissions: it doesn't instruct installing or verifying the tesseract binary, nor does it detail handling language packs or potentially malicious/untrusted image inputs.
Install Mechanism
There is no install specification (instruction-only), which is low risk. However, because the instructions rely on external system software (Tesseract) and Python libraries, the absence of guidance on how to install or verify those components is a practical gap that could lead to failed runs or incorrect assumptions about required privileges.
Credentials
The skill requests no environment variables, credentials, or config paths — appropriate for a local OCR utility that processes image files. No excessive or unrelated secrets are requested.
Persistence & Privilege
The skill is not always-enabled and is user-invocable; it does not request persistent system presence or modify other skills. Autonomous invocation is allowed (platform default) but does not combine with other high-risk flags here.
What to consider before installing
This skill appears to actually be an OCR helper using pytesseract, which requires the system Tesseract binary and appropriate language/data packs — but the skill metadata incorrectly lists no required binaries or install steps. Before installing or using it: 1) Ensure the host has the tesseract executable installed and in PATH (and language packs if you need non-English OCR). 2) Install the Python deps (pytesseract, pillow) in a virtual environment. 3) Be cautious processing untrusted images (use a sandbox) and avoid sending sensitive images to external endpoints — the skill's instructions don't exfiltrate data, but your agent or surrounding automation might. 4) If you expect batch processing or specific language support, ask the author to add explicit install and dependency instructions and to declare the tesseract binary as a required dependency.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cjebfsj88rgb83kz8mrjths84wxj5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments