catime
v0.5.0Fetch and send AI-generated hourly cat images. Every hour a unique cat artwork is born via Google Gemini. Use when user asks for a cat picture, wants to browse the cat gallery, or requests the latest AI-generated cat image to be sent to them.
⭐ 0· 998·0 current·0 all-time
by@yazelin
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims only to fetch/send hourly AI-generated cat images and the SKILL.md shows CLI usage that matches that purpose. However, the registry metadata requires a binary named 'uv' (never referenced in the runtime instructions) and the top-level registry said 'No install spec' while the SKILL.md includes an install entry (pip package 'catime'). Those mismatches are unexplained and disproportionate to the stated simple purpose.
Instruction Scope
Runtime instructions are narrowly scoped: run the 'catime' CLI, parse the output, extract the URL, and send the image via the message tool. The instructions don't request unrelated files, credentials, or network sinks. They do instruct installing and running a third-party CLI (catime) which will execute code at runtime — that is expected but worth auditing.
Install Mechanism
The SKILL.md recommends 'pip install catime' (a public-package install path, moderate risk and expected for a CLI). However, the registry summary contradicted this by saying 'No install spec' while the SKILL.md contains an openclaw.install block. The pip mechanism is normal but can run arbitrary code at install/runtime; verify the package source and any post-install behavior. No high-risk download URLs or extract steps are present.
Credentials
The skill requests no environment variables, credentials, or config paths — that aligns with its purpose. There are no declared secrets or platform tokens requested.
Persistence & Privilege
The skill does not request always:true and uses default autonomous invocation settings. It does not ask to modify other skills or system-wide settings. Persistence/privilege requests are minimal and typical.
What to consider before installing
This skill appears to do what it says (run a CLI, get a GitHub-hosted image URL, send it to the user), but there are two red flags to check before installing:
1) 'uv' binary requirement: The registry lists a required binary named 'uv' but the SKILL.md never mentions it. Ask the owner what 'uv' is for and why it's required. If you can't confirm, don't install in a sensitive environment.
2) Pip package install: The skill recommends 'pip install catime' — pip packages can execute code at install and runtime. Before installing, inspect the package source (PyPI and the linked GitHub repo), look for post-install scripts, network calls, or code that reads unrelated local files. Prefer to:
- pip download the package and examine its contents (setup.py/pyproject, entry points, scripts), or
- clone the GitHub repository (https://github.com/yazelin/catime as referenced) and review code, or
- run the package in an isolated sandbox/container if you must test it.
Also verify the image hosting URLs (the examples point to github.com/yazelin/releases/download/...) to confirm they host exactly what you expect and are not redirecting to external trackers. If you need higher assurance, ask the publisher to explain the 'uv' dependency and provide a reproducible installation manifest or signed release. If you cannot validate these points, treat the skill as suspicious and avoid installing it in production or on devices with sensitive data.Like a lobster shell, security has layers — review code before you run it.
latestvk97ajdx58hhef59qntz052tk0x80yy00
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binsuv