ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Iflow Template Toolkit

v1.0.0

Dependency-free template engine with variable substitution, conditionals, loops, and multi-language support for iFlow skills.

0· 47·0 current·0 all-time
by@sylvanxiao
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name and description match the included code: template_engine.py and translator.py implement rendering, conditionals, loops, and JSON-backed translations. No unrelated binaries, env vars, or services are requested.
Instruction Scope
SKILL.md usage is scoped to rendering templates and initializing translations. The engine reads template files from disk (TemplateEngine.load_template) and translation JSONs (Translator.from_dir), which is expected for a template/i18n tool; however, rendering arbitrary user-supplied template names or giving absolute file paths could cause the engine to open any file the agent/user permits. The engine does not execute code or call eval(), and conditional parsing is limited to simple operators (==, !=, in, truthiness).
Install Mechanism
There is no install spec (instruction-only); the package contains source files but nothing is downloaded or executed automatically during install. This is low-risk from installation mechanics.
Credentials
No environment variables, credentials, or config paths are required. Declared requirements (Python 3.6+) are proportionate to the functionality.
Persistence & Privilege
always is false and the skill does not request persistent system privileges or modify other skills. disable-model-invocation is default (agent may invoke autonomously), which is normal and not by itself a red flag.
Assessment
This skill appears to implement exactly what it claims: a small dependency-free template engine and translator. Before installing, consider: (1) avoid rendering untrusted templates or passing absolute/system file paths as template names, since the engine will open files the runtime user can access; (2) translation loading (from_dir) reads JSON files from disk—only load trusted translations; (3) although the engine does not use eval or network calls, review the code if you plan to run it in sensitive environments. If you want to reduce risk, run the included tests locally and restrict what template paths the agent is allowed to access. If you are concerned about autonomous invocation, you can disable the skill or restrict its permissions in your agent settings.

Like a lobster shell, security has layers — review code before you run it.

latestvk976nxk5tt9txgjk4g34qpj9gn83s0ha

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments