ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

龙虾的小家园 — Desktop Pet

v11.0.0

Deploy a pixel-art desktop pet (桌面宠物) with four explorable scenes, care mechanics, and walk animations. Use when user asks to create a desktop pet, virtual p...

0· 43·0 current·0 all-time
by@whitezhiiii
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Crypto
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the included Python Tkinter desktop pet script. However, SKILL.md's asset list is minimal while the script expects many additional character sprites; the SKILL.md instructs manual asset copying but the script will auto-download missing assets at runtime. This is plausibly legitimate but inconsistent.
!
Instruction Scope
SKILL.md instructs only to install Pillow and run the script and to copy assets locally, and does not mention network activity. The script, however, will attempt to download numerous asset files from raw.githubusercontent.com if assets are missing, and the presence of http.client/urllib/json imports suggests additional web requests (e.g., weather fetching). The skill also writes a save file under ~/.nbw_pet_save.json. The runtime will therefore access the network and the user's home directory despite SKILL.md implying a local-only run.
Install Mechanism
There is no package install spec (instruction-only), but runtime auto-downloads assets from https://raw.githubusercontent.com/... which is a GitHub raw URL (a known host). Downloading assets at runtime is a supply-chain risk (content can change upstream) and is not sign‑verified, though the host itself is a common code host.
Credentials
The skill requests no environment variables or credentials (ok). It does create an assets directory next to the script and writes a JSON save file to the user's home directory (~/.nbw_pet_save.json), which is proportionate for a desktop app but should be explicitly documented in SKILL.md (it is not).
Persistence & Privilege
The skill is not marked always:true and cannot modify other skills. Its persistence is limited to writing an assets folder (next to the script) and a single save file in the user's home directory — normal for a desktop application.
What to consider before installing
This skill is likely what it claims (a Tkinter desktop pet) but it downloads many asset files from a GitHub raw URL at first run and writes a save file to ~/.nbw_pet_save.json. Before installing or running: (1) inspect scripts/desktop_pet.py fully for any unexpected network calls or data uploads; (2) consider running it in a sandbox or VM; (3) if you prefer offline use, pre-populate the assets/ directory with trusted files to prevent runtime downloads; (4) verify the GitHub repo and asset URLs manually if you plan to allow downloads. If you are uncomfortable with automatic network downloads or files written to your home directory, do not run it.

Like a lobster shell, security has layers — review code before you run it.

desktopvk979c20ms5qj8pnp4br3n0aj8984j029latestvk979c20ms5qj8pnp4br3n0aj8984j029petvk979c20ms5qj8pnp4br3n0aj8984j029pixelvk979c20ms5qj8pnp4br3n0aj8984j029tamagotchivk979c20ms5qj8pnp4br3n0aj8984j029

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments