ClawHub

Photo Pack Generator

Security checks across static analysis, malware telemetry, and agentic risk

Overview

The skill appears aligned with generating photo packs, but it handles face images through upload/generation helpers, so users should consider privacy and consent before use.

This looks like a normal photo-generation skill, but reference face photos are sensitive. Before installing or using it, make sure you are comfortable with the platform’s media upload and image-generation handling, and only use photos for which you have permission.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI07: Insecure Inter-Agent Communication
Medium
What this means

A photo of a person’s face may leave the local environment and be processed by media-generation infrastructure.

Why it was flagged

A local reference image is uploaded through a media helper before generation. This is expected for the photo-generation purpose, but face images are sensitive and the artifact does not describe the upload destination, retention, or provider handling.

Skill content
IMAGE_URL=$(bash "$UPLOAD_SCRIPT" --file "$IMAGE_FILE")
Recommendation

Use only images you own or have consent to process, and check the platform or provider’s media retention and privacy terms before uploading sensitive photos.

#ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means

The skill’s behavior depends partly on platform-provided media helpers rather than only the bundled skill artifact.

Why it was flagged

The script relies on media helper scripts outside the skill’s own manifest for upload and image generation. That appears purpose-aligned, but the actual helper behavior is not contained in the provided skill files.

Skill content
UPLOAD_SCRIPT="$SCRIPT_DIR/../../../../core/media/upload.sh"
GENERATE_SCRIPT="$SCRIPT_DIR/../../../../core/media/generate-image.sh"
Recommendation

Install only if you trust the platform media helpers; maintainers should clearly document these dependencies and the media-handling flow.