Emojilist
v3.0.0Search emojis by name or category and copy them for instant use. Use when finding emojis, browsing categories, copying codes.
⭐ 0· 260·0 current·0 all-time
bybytesagain4@xueyetianya
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The skill name/description (emoji search, browse, copy) aligns with the included script: a Bash CLI with an embedded emoji database and commands for search, category, random, popular, and list. There are no unrelated binaries, env vars, or config paths requested.
Instruction Scope
SKILL.md's runtime instructions are limited to local terminal usage and examples. However, the SKILL.md triggered a 'unicode-control-chars' scan finding (hidden/invisible characters) which can be used for prompt-injection or obfuscation; review the SKILL.md and the provided scripts for any hidden or unexpected commands. The visible portion of scripts/script.sh appears to contain only an emoji DB and helper functions, but the file is long—inspect the rest for network or file-access operations before running.
Install Mechanism
No install spec is present (instruction-only), so nothing will be downloaded automatically. The package includes a script file which will run locally; there is no evidence of downloads or external installers in the metadata.
Credentials
No environment variables, credentials, or config paths are required. The skill does not declare access to unrelated services or secrets — access requests are proportionate to an offline emoji utility.
Persistence & Privilege
The skill is not forced-always, does not request persistent platform privileges, and does not declare modifications to other skills or system-wide settings. Autonomous invocation is allowed (platform default) but combined with the other signals this does not increase concern.
Scan Findings in Context
[unicode-control-chars] unexpected: Hidden unicode control characters are not expected for a simple emoji reference. They can be used to obfuscate or inject content. This is likely low-risk here but warrants manual inspection of SKILL.md and script files for invisible characters or hidden directives.
Assessment
What to check before installing/running:
- Inspect SKILL.md and scripts/script.sh for hidden or unexpected content (run `cat -v SKILL.md` or `sed -n l SKILL.md` to reveal control characters). Remove or ask the author about any invisible characters.
- Search the script for network/file/execution patterns (grep for curl, wget, nc, ssh, scp, eval, base64, openssl, bash -c, sudo). If any appear, review those lines carefully.
- Run the script in a sandbox/container or with limited privileges first (not on a sensitive machine).
- If you don't want to run shells directly, copy the emoji DB into a trusted tool or use a vetted package from a well-known source.
- The repository/homepage and an author email are provided (bytesagain.com / hello@bytesagain.com); if anything looks suspicious, contact the author or prefer an alternative source.
Overall: functionality and footprint are coherent for an offline emoji tool, but because of the unicode-control-chars finding and the presence of an executable script, manually inspect and sandbox-run it before trusting it on production systems.Like a lobster shell, security has layers — review code before you run it.
latestvk97eq7sq7z1jxxes20rgmjktt183629s
License
MIT-0
Free to use, modify, and redistribute. No attribution required.