ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

image-ocr-local-AIPC

v1.0.0

Image OCR, text recognition, extract text from image, scan document, read image text, invoice OCR, receipt OCR, contract recognition, table extraction, busin...

0· 62·0 current·0 all-time
by@violet17
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (local OCR with GLM-OCR and llama.cpp Vulkan) matches the instructions: creating an OCR directory, downloading a pretrained GGUF model and a llama.cpp Vulkan binary, and running local inference. No unrelated capabilities or credentials are requested in the manifest.
Instruction Scope
SKILL.md instructs the agent to run PowerShell to create directories, set an environment variable, download/extract binaries, and run inference — all expected for a local OCR installer. It does not instruct the agent to read unrelated user files or secrets. However, the instructions reference downloading model files via huggingface_hub or modelscope but do not explain authentication or consent prompts if private models or rate limits apply.
Install Mechanism
The skill uses legitimate sources: a GitHub releases URL for llama.cpp and huggingface_hub/modelscope for model downloads. These are expected for this use case. Risk: the install will write and execute binaries and large model files to disk and can automatically install Miniforge if Python is missing — benign if you trust the sources, but carries the usual risks of executing downloaded binaries.
!
Credentials
The declared requirements list no credentials, but the runtime instructions rely on huggingface_hub or modelscope to download model artifacts. If the model is gated or large-files require an HF token, the skill may implicitly require HUGGINGFACE_TOKEN or similar credentials (not declared). This is a proportionality mismatch and worth clarifying before use.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or global agent settings. It creates files and installs software under a user-specified or auto-selected directory (normal for a local tool). It sets an environment variable in-session only.
What to consider before installing
This skill appears to implement a local Windows OCR pipeline and will download and extract binaries and large model files into a directory you choose (or auto-selected). Before installing, verify you trust the GitHub release URL and the Hugging Face / ModelScope model source; confirm whether the model requires authentication (HUGGINGFACE_TOKEN) — the skill does not declare that but may prompt for or require a token. Expect the installer to create folders, place executables (llama-cli) and models on disk, and possibly install Miniforge/Python. If you need to hold downloads to known-good checksums or avoid automatic installers, review the PowerShell steps in SKILL.md and run them manually rather than granting autonomous execution.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bg37fxpggy9nnmd40c84jrs83804x

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments