ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

poster generator

v1.0.1

Generate professional marketing posters, social media graphics, and event flyers using AI-driven templates, customizable text, colors, and batch output in PN...

0· 150·1 current·1 all-time
byJustin Liu@zhenstaff
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's name and documentation describe a Node.js-based poster generator (templates, canvas/sharp/jimp, npm CLI). However the registry metadata lists no required binaries or env vars. That mismatch is an internal inconsistency: a legitimate Node-based skill would normally declare Node/npm as a requirement or include an install spec.
Instruction Scope
SKILL.md instructions stay on-topic (generate posters, templates, fonts, batch runs) and do not explicitly instruct reading unrelated secrets or system files. It recommends cloning a GitHub repo and running npm install, installing system fonts (sudo apt-get), and using axios for network operations — the docs claim 'local processing' but axios implies the code can perform network requests depending on implementation. No explicit exfiltration steps are present, but the skill gives the agent discretion to fetch remote assets.
Install Mechanism
There is no formal install spec in the registry (instruction-only), but the README tells users to npm install -g or git clone from GitHub. Installing npm packages (canvas, sharp, jimp, axios) is common for this functionality, but native modules (canvas, sharp) run build/postinstall scripts and may require system libraries and compilers. Because the skill pulls code from an external GitHub/npm source at install time, review package.json and postinstall scripts before installing.
Credentials
The skill declares no required credentials or env vars (reasonable for offline poster generation). The docs do suggest setting NODE_OPTIONS and using sudo to install fonts or npm -g which require elevated privileges — those are not secrets but are privileged actions. No API keys are requested, but axios in dependencies could be used to fetch remote assets if the implementation does so.
Persistence & Privilege
The skill is not marked always:true and doesn't request special agent-wide privileges. It instructs creating a local config file (.postergenrc.json) which is normal. It does not claim to modify other skills or global agent settings.
What to consider before installing
This skill plausibly implements a poster generator, but there are some red flags you should act on before installing: - Metadata mismatch: the registry lists no required binaries, but the docs require Node.js >=18 and npm packages. Treat the docs as authoritative only after you inspect the code. - Inspect the source: review the GitHub repository (package.json, index/CLI entry, and any postinstall scripts) for network calls, eval/exec usage, or unusual postinstall behavior before running npm install -g. - Check package.json scripts: watch for postinstall, preinstall, or install scripts that run arbitrary commands with your privileges. - Run in a sandbox: if you're unsure, run the tool inside a container or VM, or use npx to avoid global installation. - Watch native modules: canvas/sharp/jimp are native or binary-compiled modules that may require build tools and run native code during install — ensure you trust the package source. - Verify the claim of 'local processing': search the code for axios/fetch/http calls to confirm whether assets or data are sent to external servers. - Avoid providing secrets: the skill does not need API keys for basic features, so do not supply credentials unless you confirm they are necessary and trustworthy. - Use standard safety checks: run `npm audit`, check maintainer reputation, read recent commits, and prefer installing from an official, well-maintained package or verified repository. If you can provide the repository/package.json or the package code, I can scan the scripts and dependencies for risky install-time behavior or network calls to give a higher-confidence assessment.

Like a lobster shell, security has layers — review code before you run it.

latestvk97aq4k1q0694dwfd0x9edg0r183jpkg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments