PixelMagic-PhotoLogic-9z
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This looks like a normal local photo-editing skill, but it runs ImageMagick and keeps local work files, so users should approve any install and manage temporary copies.
Before installing or using this skill, make sure you trust the ImageMagick installation source, process only photos and folders you intentionally select, and clean up the generated workspace if the images are private. No evidence of exfiltration, credential access, or deceptive behavior was found in the provided artifacts.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Selected image files will be processed by a local external program, and failures or malformed inputs are handled through that program.
The skill invokes the local ImageMagick binary via subprocess. This is central to the photo-editing purpose and uses an argument list rather than shell execution, but it is still local command execution.
result = subprocess.run(['magick', '-version'], ...); cmd = [self.magick_path] + args
Install ImageMagick only from trusted package managers or the official source, and use the skill on files and directories you intentionally select.
A user or agent may need to install a system package before the skill works.
The skill depends on a system ImageMagick installation, while the registry section shows no install spec and no required binaries. This is a setup/provenance note rather than suspicious behavior because ImageMagick is expected for the stated purpose.
✅ 自动检测并安装 ImageMagick
Confirm the install command before running it, prefer trusted package managers, and verify that ImageMagick is the dependency you intended to add.
The skill can create, copy, and overwrite image-related files in its workspace during processing.
The skill copies input images and writes edited outputs into a workspace. These file mutations are expected for a local editor, but they affect the user's filesystem.
shutil.copy2(input_path, os.path.join(self.work_dir, "originals")); final_path = os.path.join(self.work_dir, "final", f"{output_name}_final.jpg")Use explicit input and output locations, avoid sensitive directories, and review generated files before sharing or deleting originals.
Private photos and processing details may remain on disk after the edit is complete.
The skill creates persistent local folders for originals, temporary outputs, parameter records, and logs. These may include private photo data or filenames.
os.makedirs(os.path.join(self.work_dir, "originals"), exist_ok=True); os.makedirs(os.path.join(self.work_dir, "temp", "params"), exist_ok=True); self.log_file = os.path.join(self.work_dir, "log.txt")
Delete unneeded workspace folders after use, especially when processing private images, and choose a workspace location you control.