ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Process-Diagram-Pro

v2.0.0

生成符合行业标准的化工工艺PFD、P&ID、系统架构及数据流图,支持温度渐变和中文显示。

0· 80·0 current·0 all-time
by@xx235300
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description claim (PFD/P&ID/architecture generation, Chinese text, temperature gradients) is implemented by the included Python modules (canvas, diagrams, pipelines, devices, fonts). Declared runtime dependency list (matplotlib, pillow, numpy) is proportionate to the functionality.
Instruction Scope
SKILL.md contains only diagram-generation APIs, usage examples and install commands for the Python deps. It also suggests using an external 'agent-browser' CLI to fetch a cloud usage doc (Feishu link) — that gives the agent an optional way to retrieve external web content. The instructions do not direct reading of unrelated local files or environment variables. The font loader module prints system font paths and in its test code writes a file under /tmp only when executed as __main__.
Install Mechanism
There is no install spec in the registry (instruction-only for the platform). SKILL.md recommends 'pip install matplotlib pillow numpy' which is expected. The only additional install suggestion is an optional npm global 'agent-browser' CLI for web scraping; installing that is an explicit user action and not required for core functionality.
Credentials
The skill does not request environment variables, credentials, or config paths. No sensitive names (TOKEN/KEY/etc.) are required. Font loader accesses system font paths and the skill directory, which is reasonable for rendering Chinese text.
Persistence & Privilege
Registry flags show default privileges (always: false, agent invocation allowed). The skill does not request permanent/always-on inclusion or modify other skills. No evidence it writes persistent agent-wide configuration.
Assessment
This package appears coherent for its stated purpose, but the source has no homepage and some files were omitted from the review — exercise caution before using in sensitive environments. Recommendations: - Review the remaining files (omitted in the manifest) for any network calls, hard-coded external URLs, or code that reads/writes unexpected system paths. - Run the code in an isolated environment (virtualenv / container) before adding to production. Installing matplotlib/Pillow/numpy is normal; only install the optional 'agent-browser' tool if you need the web-scraping examples. - Note the font loader will look through system font paths and may print them; its __main__ test writes /tmp/font_loader_test.png if executed directly — that behavior is benign but be aware. - If you will handle confidential diagrams, ensure no unexplained telemetry or remote upload is present in the omitted files; request the full source or a signed package from an identifiable author if you need higher assurance.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ezbk2mtz735qbr3efmmtgz983vzat

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments