Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Loopwind
v0.25.11Generate images and videos from React + Tailwind CSS templates using the loopwind CLI.
⭐ 0· 647·1 current·1 all-time
byTommy Vedvik@tomtev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name and description (generate images/videos from React + Tailwind templates using the loopwind CLI) match the SKILL.md content: commands, template structure, and rendering workflows are coherent with the stated purpose. The file references (.loopwind, templates, props files) are expected for this tool.
Instruction Scope
The SKILL.md instructs users/agents to run external installers and to add templates/skills from arbitrary URLs (e.g., `curl -fsSL https://loopwind.dev/install.sh | bash`, `npx skills add https://loopwind.dev/skill.md`, and `loopwind add https://example.com/templates/...`). Templates are executable JSX/JS modules that can run arbitrary code during render/validation. The instructions therefore encourage fetching and executing remote code and giving agents discretion to install content from untrusted sources — scope creep beyond simply rendering templates.
Install Mechanism
There is no registry install spec in the skill metadata, but the SKILL.md explicitly recommends a remote install via a curl|bash one-liner from loopwind.dev. Piping a remote shell script to bash is a high-risk install pattern because it executes code fetched at runtime without prior inspection. The skill also recommends pulling templates and an AI skill from arbitrary URLs, which may download and store code locally (.loopwind/) and then execute it via the CLI.
Credentials
The skill does not request environment variables, credentials, or privileged config paths in the registry metadata. That is proportionate to the described functionality. However, because templates and remote installers can contain code, they could ask for or use credentials at runtime if you run them — the registry metadata itself does not request secrets.
Persistence & Privilege
The recommended installer writes to ~/.loopwind and adds a CLI to PATH, creating a persistent tool on the system (expected for a CLI). The skill metadata does not request elevated privileges or always:true. Still, following its install instructions results in persistent software that may be invoked autonomously by agents if configured to do so.
What to consider before installing
This SKILL.md is coherent with its stated purpose, but it tells you to fetch and run remote code and to add templates/skills from arbitrary URLs. Those actions can install and execute untrusted code. Before installing or running anything: 1) Do NOT blindly run `curl | bash`. Download the install.sh first, inspect its contents, and verify the publisher (or prefer a package manager or verified release). 2) Treat templates as code — review template files before adding them, especially if pulled from external URLs. 3) Run initial installs and renders in an isolated environment (container, VM, or non-root account). 4) Prefer official templates or local files under your control; avoid arbitrary URLs. 5) Verify loopwind.dev ownership and check for signed releases or GitHub releases if possible. 6) If an AI agent will be allowed to autonomously install templates or run the CLI, restrict that capability or require manual review. Following these steps will reduce the risk of executing malicious code introduced by the install or by third-party templates.Like a lobster shell, security has layers — review code before you run it.
latestvk97ae06brf27438e1w1fsdd11981cger
License
MIT-0
Free to use, modify, and redistribute. No attribution required.