Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
firstskill
v1.0.0Creating algorithmic art using p5.js with seeded randomness and interactive parameter exploration. Use this when users request creating art using code, gener...
⭐ 0· 80·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md, generator_template.js, and viewer.html all describe/implement p5.js generative-art behavior, which is coherent with the skill description. However, the registry metadata is inconsistent (skill name 'firstskill', registry slug 'excel-skill', SKILL.md 'algorithmic-art') which suggests the package was repurposed or mis-labeled. That mismatch is not necessarily malicious but reduces trust and should be clarified.
Instruction Scope
The instructions explicitly tell the agent to produce .md (philosophy), .html (viewer), and .js (generator) files — this is expected for an art generator. The SKILL.md also instructs the agent to 'emphasize craftsmanship repeatedly' and to reuse a viewer template that embeds 'Anthropic' branding. The instructions do not request system credentials or read unrelated system files. They do direct creation of files and inclusion of external CDN links in the viewer, which could expose usage when the HTML is opened.
Install Mechanism
No install spec (instruction-only with included templates). Nothing will be downloaded or extracted as part of an automated install step, which lowers risk.
Credentials
The skill requires no environment variables, no binaries, and no config paths. The requested capabilities are minimal and appropriate for an instruction-only art generator.
Persistence & Privilege
Default runtime flags (always: false, agent invocation allowed) are standard and do not request permanent or elevated privileges. The skill does not attempt to modify other skills or system configuration.
What to consider before installing
What to consider before installing:
- Metadata mismatch: The package metadata (name/slug) does not match its art purpose. Ask the publisher or review provenance before trusting the package.
- Review generated files: The skill will instruct the agent to create .md, .html, and .js files. Inspect those outputs before sharing or hosting them.
- External resources: The viewer.html template pulls p5.js from a CDN and fonts from Google; opening the viewer will cause network requests that may reveal usage to external services. If you prefer no external requests, modify the template to host libraries locally.
- Branding and wording: The template explicitly uses 'Anthropic' branding and the SKILL.md asks the agent to repeat marketing-like phrases about 'master-level' craftsmanship. These are content/branding issues (not direct security threats) but could be misleading; remove or edit them if undesired.
- Licensing: A standard Apache-2.0 LICENSE.txt is included; confirm that license terms are acceptable for your use.
- Recommendation: The code itself appears to be ordinary p5.js scaffolding (no obfuscated code or credential access). Proceed only after verifying the package source, fixing the metadata/branding if necessary, and optionally replacing CDN links with local copies if you want to avoid external network requests.Like a lobster shell, security has layers — review code before you run it.
latestvk97adghvgq8ghgek03ws1vg8s1838j7n
License
MIT-0
Free to use, modify, and redistribute. No attribution required.