Back to skill
Skillv1.0.3
ClawScan security
CLIProxy Media · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewMar 14, 2026, 10:36 AM
- Verdict
- Review
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill mostly does what it says (base64-encodes provided images/PDFs and posts them to a user-configured CLIProxy endpoint), but there are inconsistencies between the documentation and the code and the skill could be abused to send arbitrary local files to an external endpoint if misused.
- Guidance
- This skill will read whatever local files you pass to it and send their base64 contents to the URL you configure (CLIPROXY_URL). Before installing or running it: - Only set CLIPROXY_URL to a proxy you control/trust. Treat that endpoint as capable of receiving any files you give the script. - Do not let an autonomous agent call this skill with unchecked file-path inputs (it can be used to exfiltrate arbitrary local files). - Note the SKILL.md claims compatibility with Anthropic/OpenRouter, but the script hardcodes 'x-api-key: dummy' and does not send real API keys or Authorization headers — if you intend to use non-CLIProxy providers, inspect and modify the script to add proper auth headers and test in a safe environment. - If you need stricter controls, require that the skill be invoked only with pre-approved file paths or add whitelist checks in the script to prevent accidental upload of sensitive files.
Review Dimensions
- Purpose & Capability
- noteThe skill's stated purpose (analyze images/PDFs via a CLIProxy endpoint) matches the included script: it encodes files and posts them to the configured endpoint. However the SKILL.md claims broader compatibility (Anthropic direct, OpenRouter, etc.) that the script does not actually implement (see environment/headers mismatch below). The registry metadata also lists no required env vars while the docs expect CLIPROXY_URL/CLIPROXY_MODEL—minor mismatches but explainable.
- Instruction Scope
- concernRuntime instructions and the script require the caller to pass file paths (or URLs). The script will read local files and embed their base64 contents into requests to the configured endpoint. That is expected for media analysis, but it also means an agent invoking this skill (or a user using exec) can send any local file path supplied to the endpoint — a potential exfiltration vector if untrusted endpoints are used or if the agent is given permission to pick arbitrary paths.
- Install Mechanism
- okNo install spec; instruction-only plus a simple Python script. Nothing is downloaded or written during install, which is low-risk from an installation perspective.
- Credentials
- concernThe skill expects CLIPROXY_URL and CLIPROXY_MODEL in its docs, which are reasonable. But the SKILL.md claims compatibility with Anthropic/OpenRouter and suggests using ANTHROPIC_API_KEY/Bearer tokens for non-CLIProxy endpoints — the included script does not read any API-key env or set an Authorization header (it hardcodes 'x-api-key: dummy'), so those compatibility claims are misleading. No high-privilege secrets are requested by the skill, but the documentation/code mismatch could cause users to accidentally send credentials to the wrong place if they modify the script or proxy behavior.
- Persistence & Privilege
- okThe skill does not request permanent presence (always:false) nor modifies system-wide config. It simply provides an executable script invoked on demand.