Skillv1.0.1

ClawScan security

Apple Photos Cleaner · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 3, 2026, 5:35 PM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and runtime instructions are coherent with its stated purpose (read-only analysis of the Apple Photos SQLite DB plus an optional AppleScript-based cleanup step that requires explicit execution), but you should review and control runtime invocation because it accesses highly sensitive personal photo metadata and includes an executable cleanup path.
Guidance: This skill appears to do what it claims: read and analyze your Apple Photos SQLite DB and provide optional, user-confirmed cleanup via Photos.app AppleScript. Before installing or enabling it: - Review the full source (especially omitted scripts like location_mapper and any networking code) to confirm there are no outbound network requests or telemetry. The truncated files mention 'offline reverse geocoding' — confirm it truly runs offline. - Be aware that the skill reads highly sensitive personal metadata (people, GPS, timestamps). Only enable it if you trust the skill owner and the environment. - The deletion path uses osascript to tell Photos.app to delete items by filename; prefer running dry-run previews first and make a backup of your Photos library before executing destructive operations. - If you do not want the agent to automatically examine your photos, require explicit, user-invoked runs (do not allow autonomous invocation). If you want, I can scan the remaining truncated files for network calls, obfuscated code, or other unexpected behaviors before you install.

Review Dimensions

Purpose & Capability: noteThe name/description (Apple Photos Cleaner) matches what the code does: querying the Photos.sqlite DB, analyzing assets, and optionally performing cleanup via Photos.app AppleScript. Minor metadata mismatches: the top-level registry Requirements section lists no required binaries/env vars, while SKILL.md metadata and README declare Python 3.9+ (and the metadata includes a GitHub homepage). This is a small inconsistency but not a functional red flag.
Instruction Scope: noteSKILL.md and the scripts primarily perform read-only SQLite queries against the Photos database (expected for the stated analysis features). The one write-affecting capability is cleanup_executor.py which will issue AppleScript (osascript) commands to Photos.app to delete/move items to Recently Deleted — but only when run with an explicit execute flag (scripts default to dry-run). The cleanup uses filename matching via Photos.app search (may produce false matches), so user confirmation and careful review are required before executing. Because many implementation files were truncated in the review, I could not fully verify that no script issues outbound network requests (location_mapper mentions 'offline reverse geocoding' in docs), so remote calls should be checked in the omitted files before trusting the skill.
Install Mechanism: okThere is no install spec (the skill is distributed as code files and is instruction-driven). The project claims to use only Python stdlib (pyproject lists only dev/test extras). No suspicious remote download/install steps are present in the provided manifest.
Credentials: okThe skill requests no environment variables or credentials. It only needs file-system access to the Photos.sqlite database (default path under ~/Pictures) and the ability to run Python and osascript on macOS. These privileges are proportional to the stated purpose. Note: accessing the Photos DB gives the skill access to highly sensitive personal data (locations, people, etc.), so the absence of network credentials is reassuring but you should verify there are no hidden network calls in omitted files.
Persistence & Privilege: okalways is false and the skill does not request persistent system-level privileges. It does invoke subprocesses (osascript) for cleanup when the user explicitly opts in. Autonomous invocation (disable-model-invocation is false) is the platform default — if you do not want the agent to automatically access your photo library, restrict the skill to manual invocation.