Colormind
PassAudited by ClawScan on May 1, 2026.
Overview
This skill is transparent and purpose-aligned, but users should know it sends color data to Colormind over plain HTTP and uses ImageMagick when processing images.
Install only if you are comfortable sending palette colors or image-derived color values to colormind.io over plain HTTP. Do not use it with sensitive images, confidential design work, or proprietary brand colors, and keep ImageMagick patched if using the image-to-palette feature.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Someone on the network could observe the color data being sent, and Colormind receives color information derived from any image processed through the image workflow.
The skill openly discloses that palette data and image-derived color values are transmitted to an external service without TLS.
This skill sends color data to an external service (colormind.io) ... The API uses **unencrypted HTTP** ... derived color data from your images is sent externally
Use this only for non-sensitive palettes or images, and avoid private photos, proprietary designs, or confidential brand colors.
Processing malicious or untrusted image files could expose the local ImageMagick installation to parser vulnerabilities if it is outdated.
The image workflow invokes ImageMagick on a user-supplied image path, which is expected for the feature but worth noticing because image parsers have had security issues.
convert "$IMG" -alpha off -strip -resize 256x256\> -colors 8 -unique-colors
Use a patched ImageMagick version and avoid running the image workflow on untrusted files unless you have appropriate sandboxing.