ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

RegexVisualizer

v1.0.0

Render Regulex-style railroad diagrams for a JavaScript regular expression and export the exact same SVG/PNG as the Regulex-Plus web UI (docs/index.html) "Ex...

2· 525·0 current·0 all-time
byZhong Siyao@pipedream941
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the implementation: the skill embeds Regulex-Plus HTML and provides a Node script that launches puppeteer-core to produce the same SVG/PNG output as the web UI. Required tooling (Node, local Chrome/Edge) is appropriate and documented. No unrelated env vars, binaries, or credentials are requested.
Instruction Scope
SKILL.md instructs running the included scripts, installing puppeteer-core, and supplying a regex/out path. The runtime instructions only read the included assets/regulex.html and write the requested <out>.svg/.png files. There is no instruction to read arbitrary user files, environment secrets, or transmit data to external endpoints. Note: since the HTML is rendered by a browser, if that HTML referenced remote assets it could cause network fetches; the bundled assets appear self-contained.
Install Mechanism
No automatic install spec is present (instruction-only), but package.json depends on puppeteer-core and SKILL.md documents running npm install. This is a normal, proportionate approach. puppeteer-core does not bundle Chromium so the script correctly requires a local browser; package-lock is included and references npm registry packages (expected).
Credentials
The skill requests no credentials or config paths. It optionally respects CHROME_PATH / PUPPETEER_EXECUTABLE_PATH or a --chrome flag to locate the browser, which is reasonable and proportional to launching puppeteer. No secrets are required or accessed.
Persistence & Privilege
always is false and disable-model-invocation is false (normal). The skill does not attempt to persist system-wide configuration, modify other skills, or request permanent elevated presence.
Assessment
This skill appears to do exactly what it claims: run a local Node script that loads the included Regulex HTML in a headless browser and writes SVG/PNG output. Before installing, note: (1) npm install will add puppeteer-core and its dependencies to the skill folder; (2) you must have a local Chrome/Edge installed (or set CHROME_PATH/--chrome); (3) the script launches the browser with --no-sandbox (common for headless automation) — only run it on trusted content and in a safe environment; (4) review assets/regulex.html if you have concerns about remote resource loading (the packaged file appears self-contained). If you only need simple diagram rendering and prefer fewer dependencies, consider alternative tools that don't require a headless browser, but from a coherence/security standpoint this package is consistent with its purpose.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b6akpj1hja94yqzhp2p28n581vkn0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments