Imgur CLI
PassAudited by ClawScan on May 10, 2026.
Overview
This is a straightforward Imgur CLI; its main risks are the expected ones: it can publicly upload images and use Imgur credentials to manage account content.
Install only if you want an agent to upload selected images to Imgur. Do not use it on private or sensitive files, keep any OAuth token protected, and save delete hashes if you need to remove anonymous uploads later.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent can turn a chosen local image or URL into a public Imgur link, and can delete or organize Imgur content when given the relevant IDs or credentials.
The skill explicitly supports public image hosting and deletion/album-management commands. This is purpose-aligned, but these actions can expose or change user content if used on the wrong file or image ID.
Use when a user needs to host an image publicly, turn a local file into a shareable URL ... imgur-cli upload <file-or-url> ... imgur-cli delete <delete-hash-or-id>
Use it only for images intended to be public, review file paths before upload, and confirm delete or album-management actions when they affect important content.
With an Imgur OAuth token, the agent may upload to the user's account and perform supported image or album operations.
The CLI reads Imgur credentials from environment variables and sends them as Imgur authorization headers. This is expected for the integration, but it gives the tool delegated account authority when an OAuth token is used.
token = access_token or os.getenv("IMGUR_ACCESS_TOKEN") ... return {"Authorization": f"Bearer {token}"} ... cid = client_id or os.getenv("IMGUR_CLIENT_ID")Prefer a Client-ID for anonymous uploads when possible, keep OAuth tokens scoped and revocable, and avoid exposing these environment variables to unrelated tools.
Installing the skill may install or reuse a compatible requests package from the Python environment.
The package depends on the external requests library with a lower-bound version rather than a lockfile. This is common for a small Python CLI and no malicious install behavior is shown, but it is still a supply-chain consideration.
dependencies = ["requests>=2.28.0"]
Install from a trusted environment and consider pinning dependencies if using this in a production or sensitive workflow.