Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
pinyin-box
v1.0.0汉字小助手 - 将文字或图片中的文字转换为拼音格或米字格练习纸。 当用户需要:(1) 把文字转换成练字帖或米字格,(2) 提取图片中的文字并生成拼音格, (3) 生成汉字书写练习材料,(4) 把任何内容做成拼音格或米字格格式时,使用此 Skill。 支持文字输入、图片 OCR 识别,输出 PNG 或 PDF 格式。
⭐ 0· 74·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (generate pinyin/grid practice sheets from text or images) aligns with instructions to OCR images, format text, and invoke a local pinyin-box CLI. The requirements (a Python package providing the CLI) are appropriate.
Instruction Scope
Runtime instructions stay within the stated purpose: they call an image OCR helper, format text, and run the pinyin-box CLI to produce PNG/PDF output. The instructions reference only workspace paths and the image tool; they do not request unrelated files, system-wide configuration, or external endpoints beyond installing the package.
Install Mechanism
No install spec in the registry, but SKILL.md instructs pip install -r requirements.txt which includes a direct GitHub Releases wheel URL. Using a wheel from GitHub Releases is a common pattern, but it does mean arbitrary Python code will be downloaded and installed into the agent environment — a normal but material supply-chain risk to be aware of.
Credentials
The skill declares no required environment variables, credentials, or sensitive config paths. The SKILL.md only references local workspace paths. No disproportionate secret access is requested.
Persistence & Privilege
The skill does not request always:true and is user-invocable only; it does not ask to modify other skills or system-wide settings. Ordinary lifecycle (installing its package into a virtualenv) is expected.
Assessment
This skill appears to do what it advertises: OCR text and run a local 'pinyin-box' CLI to produce practice sheets. Before installing, note that the install step will pip-install a wheel hosted on a GitHub release (normal for Python packages but it executes code in your environment). If you need higher assurance: (1) inspect the wheel's source repository (owner/URL in requirements.txt points to github.com/yanglinzhen/pinyin-box) before installing, (2) prefer installing into an isolated virtual environment, and (3) verify the package's behavior or run it in a sandboxed agent environment.Like a lobster shell, security has layers — review code before you run it.
latestvk97fd7m4mecx6qbk9bx2k9mm0s83a4cy
License
MIT-0
Free to use, modify, and redistribute. No attribution required.