Imgur CLI
AdvisoryAudited by VirusTotal on Apr 23, 2026.
Overview
Type: OpenClaw Skill Name: imgur-cli Version: 0.1.0 The `imgur-cli` skill is a standard API wrapper for Imgur, providing functionality to upload images, manage albums, and retrieve metadata. The code in `src/imgur_cli/core.py` correctly implements the Imgur v3 API using the `requests` library and handles authentication via environment variables (`IMGUR_CLIENT_ID` or `IMGUR_ACCESS_TOKEN`). There is no evidence of malicious intent, data exfiltration beyond the stated purpose, or suspicious execution patterns.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent can turn a chosen local image or URL into a public Imgur link, and can delete or organize Imgur content when given the relevant IDs or credentials.
The skill explicitly supports public image hosting and deletion/album-management commands. This is purpose-aligned, but these actions can expose or change user content if used on the wrong file or image ID.
Use when a user needs to host an image publicly, turn a local file into a shareable URL ... imgur-cli upload <file-or-url> ... imgur-cli delete <delete-hash-or-id>
Use it only for images intended to be public, review file paths before upload, and confirm delete or album-management actions when they affect important content.
With an Imgur OAuth token, the agent may upload to the user's account and perform supported image or album operations.
The CLI reads Imgur credentials from environment variables and sends them as Imgur authorization headers. This is expected for the integration, but it gives the tool delegated account authority when an OAuth token is used.
token = access_token or os.getenv("IMGUR_ACCESS_TOKEN") ... return {"Authorization": f"Bearer {token}"} ... cid = client_id or os.getenv("IMGUR_CLIENT_ID")Prefer a Client-ID for anonymous uploads when possible, keep OAuth tokens scoped and revocable, and avoid exposing these environment variables to unrelated tools.
Installing the skill may install or reuse a compatible requests package from the Python environment.
The package depends on the external requests library with a lower-bound version rather than a lockfile. This is common for a small Python CLI and no malicious install behavior is shown, but it is still a supply-chain consideration.
dependencies = ["requests>=2.28.0"]
Install from a trusted environment and consider pinning dependencies if using this in a production or sensitive workflow.