ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Signus Font Signature

v1.0.1

Generate font-based signature images via Signus API and return image files for chat delivery. Use when asked for font signatures (not AI websocket handwritte...

0· 191·0 current·0 all-time
by@signus-ai

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for signus-ai/signus-font-signature.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Signus Font Signature" (signus-ai/signus-font-signature) from ClawHub.
Skill page: https://clawhub.ai/signus-ai/signus-font-signature
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install signus-font-signature

ClawHub CLI

Package manager switcher

npx clawhub@latest install signus-font-signature
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the included script and SKILL.md. Required actions (HTTP POST to signus endpoints, unzip, save images) align with the stated purpose. No unrelated binaries, env vars, or config paths are requested.
Instruction Scope
The SKILL.md correctly instructs running the included Node.js script with a JSON payload. The script creates an output directory under the user's home (~/.openclaw/media/signatures-font/), posts to fixed signus endpoints, extracts ZIPs, and writes image files. These behaviors are expected for this task, but the skill does perform network access and write files to the user's home directory (media storage) — both are within scope but worth noting.
Install Mechanism
This is an instruction-only skill with a package.json and one dependency (adm-zip). SKILL.md requires running npm install in the skill folder; adm-zip is fetched from the public npm registry (traceable). No arbitrary downloads or extract-from-unknown-URL steps are present.
Credentials
The skill declares no required environment variables or credentials and the code does not read env vars. It uses public signus endpoints; a fallback endpoint (/users/me/...) may rely on implicit session/auth in some deployments, which the SKILL.md explicitly notes.
Persistence & Privilege
always is false and the skill does not modify other skills or system-wide settings. It writes only into its own media folder under ~/.openclaw/media/signatures-font/. It does not request permanent elevated privileges.
Assessment
This skill appears coherent and implements exactly what it says: it POSTs to https://api.signus.ai, downloads and/or extracts image files, and stores them under ~/.openclaw/media/signatures-font/. Before installing: 1) confirm you trust api.signus.ai and are comfortable with the skill writing files to your home media folder; 2) be prepared to run npm install in the skill folder (it will fetch adm-zip from the npm registry); 3) note the fallback endpoint (/users/me/...) may require an existing session — do not embed secrets in payloads; 4) review the included script yourself if you need higher assurance (it is short and readable).

Like a lobster shell, security has layers — review code before you run it.

latestvk97b5qfew5fk1fhs7rmrmn1ag9832fk5
191downloads
0stars
2versions
Updated 23h ago
v1.0.1
MIT-0
@signus-ai
latest
Download

Signus Font Signature

User-facing language

  • Always write user-facing text in English unless the user explicitly asks for another language.

Runtime requirements

  • Node.js 18+.
  • Install dependencies in this skill folder before first run:
cd /home/node/.openclaw/workspace/skills/signus-font-signature && npm install

Inputs

Provide exactly one identity source:

  • name (e.g., "Allon Mason"), OR
  • firstName + lastName, OR
  • initials (e.g., "AM")

Optional:

  • count — max number of images to return.

Validation

  • Accept exactly one identity source.
  • Reject empty/blank values.
  • If count is provided, treat as numeric limit.

Run

node /home/node/.openclaw/workspace/skills/signus-font-signature/scripts/generate_font_signatures.js '<json payload>'

Examples:

node /home/node/.openclaw/workspace/skills/signus-font-signature/scripts/generate_font_signatures.js '{"name":"Allon Mason","count":10}'

node /home/node/.openclaw/workspace/skills/signus-font-signature/scripts/generate_font_signatures.js '{"firstName":"Allon","lastName":"Mason"}'

Detailed execution flow

  1. Parse payload and normalize identity into name.
  2. Create output directory:
    • ~/.openclaw/media/signatures-font/<name>-<timestamp>/
  3. Request font generation using fixed trusted host (https://api.signus.ai) and endpoint order:
    • primary: POST /api/signus/v0/signature-generations/font
    • fallback: POST /api/signus/v0/users/me/signature-generations/font
  4. Process response by content-type:
    • ZIP/octet-stream: extract with in-process JS unzip library (adm-zip), then collect image files.
    • JSON: read payload.thisPageItems[], then download each image from:
      • /api/signus/v0/signature-generations/font/{generationId}/signatures/{generatedSignatureId}/{clean|watermark}.png
  5. Return:
    • count
    • directory
    • signatures[]: { id, filePath }
  6. Send images to chat via message action=send and media=<filePath>.

Authentication model

  • This skill does not handle API tokens or env-based credentials.
  • It assumes the primary public endpoint can be used without explicit Authorization header.
  • The /users/me/... fallback may work only where implicit session/auth exists.
  • If your deployment requires explicit auth, update the script design first (do not inject secrets into payloads by default).

Security notes

  • No environment-variable reads.
  • No shell command execution.
  • Network target is fixed to https://api.signus.ai.
  • Writes only under ~/.openclaw/media/signatures-font/.
  • Keep this skill separate from signus-signature (AI websocket handwritten signatures).

Comments

Loading comments...