ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

openai-vision

v0.1.0

Analyze images and multi-frame sequences using OpenAI GPT vision models

0· 2·0 current·0 all-time
by@wu-uk
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name/description (image analysis with OpenAI vision models) matches the SKILL.md examples and capabilities (OCR, multi-frame comparison). The skill legitimately needs the OpenAI client and the ability to read image files/URLs, which the instructions request.
!
Instruction Scope
The runtime instructions explicitly read local image files, encode them to base64, and send them to the OpenAI SDK for remote analysis. That behavior is consistent with the stated purpose but it also means arbitrary local images (including potentially sensitive files) will be transmitted to a third-party API — the SKILL.md does not warn about this or restrict which paths should be used.
Install Mechanism
This is an instruction-only skill with no install spec or downloaded code, so nothing new is written to disk by an installer. The risk from install mechanism is low.
!
Credentials
The examples use the OpenAI Python client (client = OpenAI()) which requires an API key or other credential at runtime, but the skill metadata lists no required environment variables or primary credential. That omission is an incoherence: the skill will need access to an OpenAI API key (e.g., OPENAI_API_KEY) to function.
Persistence & Privilege
The skill is not always-enabled and does not request special platform-wide persistence. It can be invoked by the agent (normal behavior). No indications it modifies other skills or system configs.
What to consider before installing
This skill appears to be a thin wrapper around the OpenAI vision APIs and will read local image files and upload them for analysis. Before installing, confirm the following: (1) Where will requests be sent and which OpenAI account/key will be used? The skill metadata does not declare the required OPENAI_API_KEY — verify you will supply your own key and that the skill will not hardcode or exfiltrate credentials. (2) Understand privacy: any local images (including PII, documents, screenshots) will be transmitted to OpenAI; avoid using highly sensitive images unless you accept that. (3) Check for provenance: the skill's source/homepage are unknown — prefer skills with a traceable author or repo. (4) If you proceed, run it in a restricted environment and review logs to ensure only intended files are read and transmitted. If you cannot verify the above, treat this skill cautiously or consider alternatives that explicitly document credential and data-handling requirements.

Like a lobster shell, security has layers — review code before you run it.

latestvk972x2fm77xzk7ajt9wd7cyttx84xkp5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments