ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Imgur CLI

v0.1.0

Imgur API CLI for agents. Upload images by file path or URL, fetch image metadata, delete uploads via delete-hash, create and manage albums. Anonymous upload...

0· 13·0 current·0 all-time
byChloe Park@chloepark85
Security Scan
Capability signals
Requires OAuth tokenRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name, README, SKILL.md, and the included Python code all align: the package implements Imgur upload/get/delete and album management via the official Imgur API. However, the registry metadata claims 'Required env vars: none' and 'Primary credential: none' while both SKILL.md and the code require either IMGUR_CLIENT_ID or IMGUR_ACCESS_TOKEN; this registry omission is an incoherence that could mislead users about needed credentials.
Instruction Scope
Runtime instructions and code are narrowly scoped to Imgur operations: they read a user-supplied local file (or accept an image URL), base64-encode it, and call https://api.imgur.com/3 endpoints. The SKILL.md does not instruct reading unrelated system files or transmitting data to unexpected endpoints.
Install Mechanism
No formal install spec was registered with the skill host, yet SKILL.md instructs 'pip install -e .' and the package contains pyproject.toml and source code — this is an inconsistency in the registry metadata. The install itself is a normal pip install and depends only on 'requests', which is low risk compared to arbitrary remote downloads, but because the source is 'unknown' you should inspect it before installing.
!
Credentials
The code legitimately needs either IMGUR_CLIENT_ID (anonymous uploads) or IMGUR_ACCESS_TOKEN (authenticated uploads). Requesting those credentials is proportional to the stated purpose. The concern is that the skill registry metadata does not declare these requirements (it lists no required env vars / no primary credential), which is a misleading omission that affects security review and automated permissioning.
Persistence & Privilege
The skill does not request permanent 'always' inclusion and does not modify other skills or system-wide agent settings. It performs network calls to Imgur only and does not claim elevated platform privileges.
What to consider before installing
This package appears to do exactly what it says (wrap Imgur API) but the registry metadata omitted key facts. Before installing: 1) Verify the source code (the included files are short and readable) and confirm there are no hidden endpoints beyond api.imgur.com. 2) Be prepared to provide either IMGUR_CLIENT_ID or IMGUR_ACCESS_TOKEN; don't supply a privileged/shared token unless you trust the package and its maintainers—prefer a throwaway Imgur account or anonymous Client-ID for agent-hosted uploads. 3) Note the package will read any local file path you give it (so don't let an agent upload sensitive files). 4) Because the registry lists no install spec but SKILL.md asks for 'pip install -e .', inspect the package and its pyproject.toml before running pip; avoid blindly installing packages from unknown sources. If the maintainer/registry can update metadata to declare the required env vars and an authoritative source/homepage, that would resolve the main incoherence.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ejhabevks6afgb2wkh67y3585c21m
13downloads
0stars
1versions
Updated 5h ago
v0.1.0
MIT-0
Chloe Park@chloepark85
latest
Download

Imgur CLI

Wraps the official Imgur v3 API for AI agents. Upload images by file or URL, fetch metadata, delete by delete-hash, and manage albums — all as subcommands that print JSON.

When to use

Trigger this skill when:

  • An agent just produced an image (from nano-banana-pro, generate-image, ffmpeg, matplotlib, etc.) and another step needs a public URL.
  • A user asks to "host this image", "get a shareable link for this file", or "upload to Imgur".
  • You need to persist screenshots or render artifacts as shareable links.
  • Archiving URLs into Imgur albums for later retrieval.

Pairs well with: instagram-api (needs hosted URLs), nano-banana-pro, generate-image, Discord/Telegram posting skills.

Install

pip install -e .

Then set either:

Commands

imgur-cli upload <file-or-url> [--title T] [--description D] [--album HASH]
imgur-cli get <image-hash>
imgur-cli delete <delete-hash-or-id>
imgur-cli album-create [--title T] [--description D] [--privacy public|hidden|secret] [--image ID ...]
imgur-cli album-add <album-hash> --image ID [--image ID ...]

All commands print the Imgur API data object as indented JSON. Errors exit non-zero with the Imgur error payload on stderr.

Examples

# Anonymous upload, grab the shareable link
export IMGUR_CLIENT_ID="<client id>"
imgur-cli upload ./photo.jpg --title "cat pic" | jq -r '.link'

# Upload to user account
export IMGUR_ACCESS_TOKEN="<oauth token>"
imgur-cli upload https://example.com/pic.png --description "from pipeline"

# Save the delete-hash for later cleanup
imgur-cli upload ./tmp.png | jq -r '.deletehash' > .imgur-delete

# Create a private album of existing images
imgur-cli album-create --title "run-042" --privacy hidden --image aBc12 --image xYz34

Notes

  • Max image size: 10MB; videos are not supported by this skill (images only).
  • Anonymous deletehash is the only way to remove anonymous uploads — store it.
  • Respect Imgur rate limits (see your developer dashboard).

Comments

Loading comments...