ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Shrink JSON in Prompts (TOON Encoder/Decoder)

v1.0.0

Compress, encode, and decode large JSON payloads into a compact, reversible TOON string to reduce token usage in LLM prompts and tool payloads. Use when you...

0· 91·0 current·0 all-time
bykevin Zhang@zmkkevin

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for zmkkevin/toon-json.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Shrink JSON in Prompts (TOON Encoder/Decoder)" (zmkkevin/toon-json) from ClawHub.
Skill page: https://clawhub.ai/zmkkevin/toon-json
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install toon-json

ClawHub CLI

Package manager switcher

npx clawhub@latest install toon-json
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, SKILL.md, and the included Python script all point to a local JSON encoding/decoding utility; there are no declared env vars, binaries, or config paths that don't match this purpose.
Instruction Scope
Runtime instructions only ask the agent/user to run the bundled script against stdin/stdout (encode/decode/schema). The SKILL.md does not instruct reading unrelated files or sending data to external endpoints. However, the source in the prompt is truncated, so I cannot confirm there are no additional runtime behaviors later in the file.
Install Mechanism
No install spec is present (instruction-only skill with a local script). This is low risk — nothing is downloaded or written to disk by an installer.
Credentials
The skill declares no required credentials, environment variables, or config paths. The visible code uses only standard libraries (json, base64, hashlib, re, sys) consistent with its purpose.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request permanent presence or elevated agent privileges in the provided metadata.
What to consider before installing
This skill appears coherent and limited to local JSON encoding/decoding, but the source listing you provided is truncated — I could not review the entire file. Before installing or running it, review the complete scripts/toon_json.py to confirm there are no network calls, subprocess exec/os operations, or hidden telemetry. If you cannot inspect the full file, run it in a sandbox or isolated environment and/or open the file to verify it only parses and transforms data (no requests, no subprocess.exec, no os.system, etc.). Also consider whether you will push sensitive data through this tool and test with non-sensitive samples first.

Like a lobster shell, security has layers — review code before you run it.

latestvk9733fc8cfjnvw83hkxhczyyvh83jnqx
91downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
kevin Zhang@zmkkevin
latest
Download

toon-json (TOON v1)

Use the bundled script scripts/toon_json.py to encode JSON into a compact TOON string and decode it back losslessly.

Commands

Encode JSON -> TOON

  • Minimal:
python3 scripts/toon_json.py encode < input.json
  • With schema (better compression for repeated keys):
python3 scripts/toon_json.py encode --schema < input.json
  • Pretty wrapper (includes schema metadata):
python3 scripts/toon_json.py encode --schema --pretty < input.json

Decode TOON -> JSON

python3 scripts/toon_json.py decode < input.toon

Derive a schema (key dictionary) from JSON

python3 scripts/toon_json.py schema < input.json

Operational guidance

  • Prefer --schema when:
    • The JSON has many repeated keys (APIs, config blobs, tool outputs)
    • You will send similar objects repeatedly across turns
  • Prefer schema-less mode when:
    • One-shot payloads
    • You want maximum human readability

Safety / correctness

  • The format is designed to be lossless for JSON types: object, array, string, number, boolean, null.
  • Rejects non-JSON numbers (NaN/Inf) and non-string object keys.
  • If decoding fails, re-run with --pretty output on encode to inspect the embedded schema.

Comments

Loading comments...