ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ImageCompress

v1.0.0

Compress PNG, JPEG, WebP images using TinyPNG/Tinify free web API. No API key required, no login needed. Supports single/batch/directory compression with aut...

0· 32·0 current·0 all-time
by@aga-j
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, required binary (python3), dependency (requests), and the included script all align with an image compression tool that uploads images to TinyPNG/Tinify. The requested resources are proportionate to the stated purpose.
!
Instruction Scope
SKILL.md and the script instruct uploading user images to tinypng.com or tinify.cn, downloading compressed results, and writing output files — which matches purpose. However the instructions and code explicitly implement header spoofing (random X-Forwarded-For and randomized User-Agent) and use an unofficial web frontend endpoint (/backend/opt/shrink). That is outside ordinary client behavior, intended to simulate/evade browser protections and rate limits; this raises ethical, ToS, and network-abuse concerns. The skill does warn users about privacy and not uploading sensitive images.
Install Mechanism
Install spec only requires the 'requests' Python package (via the registry's 'uv' package kind). This is a typical, low-risk dependency and no arbitrary downloads or extracted archives are present.
Credentials
The skill requests no environment variables, no credentials, and no config paths. It does not attempt to access unrelated system secrets. This is proportionate to its function.
Persistence & Privilege
The skill is not always-enabled, does not request elevated privileges, and does not modify other skills or system-wide agent settings. It reads and writes only the files the user asks it to compress.
What to consider before installing
This skill appears to do what it says (compress images via TinyPNG's web endpoint), but there are important caveats to consider before installing or running it: - Privacy: images are uploaded to tinypng.com/tinify.cn for processing. Do not upload sensitive or personal images. The code warns about this, but it's your responsibility. - Unofficial API & header spoofing: the script uses the web frontend endpoint (not the official API) and deliberately forges headers (random X-Forwarded-For and User-Agent) to simulate browser requests and reduce rate-limiting. That behavior can violate TinyPNG's terms of service, may be considered abusive, and could get your IP blocked. If you plan heavy use, prefer registering for the official API key as the SKILL.md itself recommends. - Data handling: the tool can overwrite originals with --overwrite; warn users and back up important files first. - Operational safety: run the script in a sandboxed environment first to confirm behavior; inspect the code if you have doubts (it is included). Monitor network activity if you are in a sensitive environment. Given these points the skill is coherent with its stated purpose but carries moderate risk due to deliberate rate-limit evasion techniques and use of an unofficial endpoint. If you need high-volume or sensitive processing, use TinyPNG's official API with an API key or a vetted library instead.

Like a lobster shell, security has layers — review code before you run it.

latestvk976f7s1ztb24z34zr12prpkfs8445f3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🗜️ Clawdis
Binspython3

Install

uvuv tool install requests

Comments