ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Motif Logo Generator

v1.0.0

Generate publication-quality sequence logos for DNA or protein motifs.

0· 43·0 current·0 all-time
byAIpoch@aipoch-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The declared purpose (publication-quality DNA/protein logos) matches the presence of a generator script, but SKILL.md advertises features, a Python API, CLI flags (--input, --type, --title, color schemes) and dependencies (logomaker, pandas, matplotlib) that are not present in the packaged code. The only actual code (scripts/main.py) imports argparse and numpy and supports --demo or a --sequences file and two output modes (ascii, weblogo). requirements.txt contains only numpy. The extra advertised capabilities and dependencies are disproportionate to the included implementation.
!
Instruction Scope
SKILL.md instructs users/agents to run commands and use CLI flags and a Python API that do not match scripts/main.py (e.g., it refers to --input, --type, a motif_logo_generator.generate_logo API, and a CONFIG block that do not exist). It also prints shell commands to run external tooling (weblogo) but does not invoke any network calls itself. Instructions are inconsistent and somewhat open-ended, which could cause an agent or user to run unexpected external commands if they follow the doc literally.
Install Mechanism
There is no install spec (instruction-only install via pip -r requirements.txt is suggested). That is low-risk in itself. Note: requirements.txt only lists numpy while SKILL.md lists additional packages — a discrepancy but not an installation mechanism risk.
Credentials
The skill requests no environment variables, credentials, or config paths. The code only reads an input sequences file and writes an output file; no secrets or external credentials are requested.
Persistence & Privilege
The skill is not always-enabled and uses normal autonomous invocation defaults. It does not request persistent system-wide changes or modify other skills' configuration.
What to consider before installing
This package is not clearly malicious, but it is inconsistent and needs manual review before use. Things to do before running or installing: 1) Inspect scripts/main.py (already included) — it looks benign (file I/O, local computation, prints commands), but confirm it matches your expectations. 2) Don't trust SKILL.md blindly: it advertises CLI flags and a Python API that aren't implemented and lists extra dependencies (logomaker, pandas, matplotlib) that aren't in requirements.txt. 3) Run python -m py_compile scripts/main.py and run the script in a sandboxed environment (or container/VM) with a non-sensitive sample input first. 4) If you need the extra features mentioned in SKILL.md (plotting, PNG/PDF output via libraries), request or add the missing implementation and update requirements.txt accordingly; otherwise remove misleading docs. 5) Be cautious about executing the printed weblogo shell commands — they assume an external tool (weblogo) is installed and could be used to execute further commands on your system. 6) If you want to allow an agent to run this skill autonomously, fix the documentation/implementation mismatch and pin exact dependencies; otherwise, treat it as an untrusted, locally-run script. If you want, I can produce a checklist of exact changes to make SKILL.md and the code consistent.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a2ka0m5whza3h541e3mctbs83qj6t

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments