ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

MLOps Industrialization

v1.0.0

Transform prototypes into distributable Python packages

0· 569·0 current·0 all-time
byGuohongbin@guohongbin-git
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (turn prototypes into distributable Python packages) matches the provided artifacts: a SKILL.md describing a package generator and a shell script that creates a src/ package layout. No unrelated credentials, binaries, or installs are requested.
!
Instruction Scope
SKILL.md instructs running ./scripts/create-package.sh which writes files into the workspace — this is expected. However the script does not sufficiently sanitize the user-supplied package name: PACKAGE_DIR is derived only by replacing '-' with '_' so values containing '..' or other path components can create directories outside the intended folder (src/../...). Also train.py contains a likely bug (calls config.model_dump() where transform_features expects a config dict) which could cause runtime errors. There are no instructions to read secrets or send data externally.
Install Mechanism
No install spec; the skill is instruction-only with a small helper script. Nothing is downloaded or extracted from external URLs.
Credentials
The skill requests no environment variables, credentials, or config paths. The code uses standard libraries and common Python packages (pandas, pydantic) but does not require secrets or network credentials.
Persistence & Privilege
The skill does not request persistent/always-on privileges (always: false) and does not attempt to modify other skills or system-wide configuration. It writes files only when its script is executed.
Assessment
This skill appears to do exactly what it says: create a three-layer Python package layout. Before running the script, review and run it in a safe/empty directory (or container) because it will create files and directories in your working tree. Avoid passing package names containing path traversal sequences (e.g., '..' or leading slashes) — the script only replaces '-' with '_' and does not sanitize other characters. Expect to install runtime dependencies yourself (pandas, pydantic, parquet engine like pyarrow) and note the small bug in application/train.py (config.model_dump() passed into transform_features) which you may need to fix. If you want additional safety, run the script in a disposable environment or inspect/modify it to validate/sanitize the PACKAGE_NAME before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dp4sx77vn0xjpm6x0wf5ak981dbktmlopsvk97dp4sx77vn0xjpm6x0wf5ak981dbktpackagingvk97dp4sx77vn0xjpm6x0wf5ak981dbkt

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments