Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Sun Path & Environmental Analysis
v1.4.1Generates a sun path diagram, calculates solar position, performs building shadow analysis, and analyzes thermal comfort.
⭐ 0· 591·0 current·0 all-time
byAddinCui@qrost
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the included scripts and requirements. The Python scripts implement sun-position, sun-path plotting, building shadow, annual hours, terrain DEM shadow, and a psychrometric plot; the listed Python packages are appropriate for these tasks.
Instruction Scope
SKILL.md instructs the agent to run the included scripts via shell exec and to write/send generated images from allowed media dirs. This stays within the skill's purpose. One attention point: the instructions explicitly say 'Do not ask for confirmation; execute and return the image and a short summary' — that reduces user-interaction checks and could lead to unexpected immediate execution if the agent is allowed autonomous invocation. Functionally, however, the commands only read user-specified inputs (coordinates, DEM path, building dims) and write outputs.
Install Mechanism
No install spec is present (instruction-only), so nothing is downloaded or executed at install time. Dependencies are standard Python packages listed in requirements.txt; the README asks the user to run pip install -r requirements.txt manually. No remote URLs or archive extraction occur during install.
Credentials
The skill declares no environment variables, no credentials, and no config paths. The scripts don't read env vars or secret files — they operate on parameters and user-supplied DEM files only. This is proportionate to the stated functionality.
Persistence & Privilege
always is false and the skill does not request persistent or system-wide changes. However, because SKILL.md requires shell exec and instructs the agent to run scripts without asking for confirmation, an autonomously-invoked agent (the platform default) could execute those scripts immediately when triggered. That increases the practical blast radius but is coherent with the skill's operation (image generation) and not excessive by itself.
Assessment
This skill appears to do exactly what it says: local Python scripts that calculate solar geometry, shadowing, and create plots. Before installing or using it: 1) Review and run the scripts in a controlled environment (virtualenv/container) and install the requirements from requirements.txt rather than system-wide. 2) Be mindful of the SKILL.md instruction to 'execute without confirmation' — if you allow autonomous agent invocation, the agent may run the scripts immediately when asked; if you want manual control, disable autonomous invocation or require confirmation. 3) When using terrain_shadow, only pass DEM files you trust and watch memory/CPU usage (the algorithm is potentially slow for large rasters). 4) PUBLISH.md contains deployment notes and an IP address (author's example); that is documentation only and not executed by the skill — nevertheless, verify the author's identity/source if you prefer published skills from known repos. 5) If you need stricter controls, run the skill in an isolated agent or sandbox and monitor file outputs under the allowed media dirs before enabling it for broad/autonomous use.Like a lobster shell, security has layers — review code before you run it.
latestvk979q5zjsw4h3bxpyxra3hddt181j3fh
License
MIT-0
Free to use, modify, and redistribute. No attribution required.