ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pinterest

Search and browse Pinterest pins, get pin details, and send actual images to the user via Telegram/messaging. Use when the user wants to find inspiration, search for images/ideas, or browse Pinterest content. Sends images directly, not just links.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 2.4k · 7 current installs · 7 all-time installs
bysam1337@0xs4m1337
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description (search & send Pinterest images) matches the included code and instructions: it scrapes Pinterest pages, converts i.pinimg URLs to 'originals', and can use Pinterest OAuth for the official API. However the registry metadata claims no required env vars while the code and SKILL.md reference a PINTEREST_ACCESS_TOKEN for API calls (not declared), and the package is marked 'instruction-only' despite including a runnable script—this mismatch is unexpected.
!
Instruction Scope
SKILL.md instructs the agent to navigate Pinterest pages, snapshot/screenshot pages, extract image URLs, and send image files directly via messaging. It also documents an API path requiring an access token. The instructions access environment state (PINTEREST_ACCESS_TOKEN) that is not declared in the skill metadata, and direct the agent to perform web scraping and file-sending operations which broaden data exfiltration risk compared with a simple API-only integration.
!
Install Mechanism
No install spec is provided in the registry, but the included script dynamically installs the 'httpx' Python package at runtime via subprocess.check_call([python, '-m', 'pip', 'install', ...]). Dynamic pip installation executes network code and writes packages to disk at runtime; this is higher-risk than a declared, reviewed install step and should be explicit in the manifest.
!
Credentials
The only credential the skill needs (per code and docs) is PINTEREST_ACCESS_TOKEN for API access, which is reasonable for OAuth operations. However the skill's metadata lists no required env vars (none declared), so the required access token is not declared up-front. That omission reduces transparency and makes it easy to miss that you must provide a secret to enable API features.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system-wide settings, and is user-invocable only by default. It does perform network requests and may install a Python package at runtime, but it does not request persistent elevated privileges in the manifest.
What to consider before installing
This skill appears to implement Pinterest scraping and an optional OAuth-backed API, but there are a few things to check before installing: - The code and docs reference PINTEREST_ACCESS_TOKEN but the skill metadata does not declare any required environment variables — ask the publisher to declare PINTEREST_ACCESS_TOKEN as a required credential so you know when a secret is needed. - The included Python script will run pip install httpx at runtime (it performs a subprocess installation). That modifies the runtime environment and fetches code from PyPI; prefer an explicit install step in the manifest or vendor/lock dependencies so you can audit them before they’re installed. - The skill uses web scraping and instructs the agent to take snapshots/screenshots and send image files directly. That behavior is consistent with the stated purpose but increases privacy and copyright risk (it pulls and transmits image content from the web). Only enable it if you trust the skill owner and you’re comfortable with the agent fetching/sending external images. Recommendations: 1) Ask the author to update the manifest to declare PINTEREST_ACCESS_TOKEN (requires.env) and to list dependencies or provide an install spec instead of doing runtime pip installs. 2) Audit the included script (scripts/pinterest_api.py) in full before running it in a production or privileged environment. 3) If you supply an access token, use a dedicated, least-privilege token (only boards:read/pins:read if possible) and store it securely. 4) Consider limiting autonomous invocation for this skill until you’re comfortable with its behavior (or monitor its network activity). If the publisher cannot clarify these points, treat the skill with caution or classify it as untrusted.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.1.1
Download zip
latestvk97ee0debc59b493c24skxrrm1803bkh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Pinterest Skill

Search, browse, and share Pinterest pins — sends actual images to chat, not just links.

Quick Search & Send Images

Step 1: Search Pinterest

browser action=navigate url="https://www.pinterest.com/search/pins/?q=YOUR+SEARCH+TERMS"
browser action=snapshot

Step 2: Get High-Res Image URLs

From the snapshot, find image URLs. Pinterest images follow this pattern:

  • Thumbnail: https://i.pinimg.com/236x/...
  • Medium: https://i.pinimg.com/564x/...
  • High-res: https://i.pinimg.com/originals/...

To get high-res: replace 236x or 564x with originals in the URL.

Step 3: Send Images to User

Send actual image (not link!):

message action=send media="https://i.pinimg.com/originals/xx/xx/image.jpg" message="Pin description here"

Send multiple images:

message action=send media="https://i.pinimg.com/originals/..." message="Option 1: Modern minimal"
message action=send media="https://i.pinimg.com/originals/..." message="Option 2: Cozy rustic"

Detailed Pin Workflow

  1. Navigate to Pinterest search
  2. Snapshot to see results
  3. Click on a pin for details (gets larger image)
  4. Screenshot the pin detail page OR extract originals URL
  5. Send image via message tool with media= parameter

Getting Original Images

When on a pin detail page:

  • Look for <img> with src containing i.pinimg.com
  • Convert to originals: https://i.pinimg.com/originals/{hash}.jpg

Example: "Find me minimalist desk setups"

# 1. Search
browser action=navigate url="https://www.pinterest.com/search/pins/?q=minimalist+desk+setup"
browser action=snapshot

# 2. Extract image URLs from snapshot (look for i.pinimg.com)
# 3. Convert to high-res originals

# 4. Send images
message action=send media="https://i.pinimg.com/originals/ab/cd/ef123.jpg" message="Clean white desk with plant 🌿"
message action=send media="https://i.pinimg.com/originals/gh/ij/kl456.jpg" message="Wooden desk, natural light ☀️"

Alternative: Screenshot Method

If image URL extraction is tricky, screenshot the pin:

browser action=navigate url="https://www.pinterest.com/pin/123456/"
browser action=screenshot
# Then send the screenshot file
message action=send filePath="/path/to/screenshot.jpg" message="Here's the pin!"

API Method (For User's Own Content)

Requires OAuth token setup — see references/oauth-setup.md

export PINTEREST_ACCESS_TOKEN="your_token"
python3 scripts/pinterest_api.py boards
python3 scripts/pinterest_api.py board-pins <board_id>
python3 scripts/pinterest_api.py pin <pin_id>

Key Points

  • Always send images directly using media= parameter
  • ✅ Use originals URLs for high-res
  • ❌ Don't just send links — send the actual image
  • 💡 If URL doesn't work, screenshot the pin and send that

References

  • OAuth setup: references/oauth-setup.md
  • API endpoints: references/api-reference.md

Files

4 total
Select a file
Select a file to preview.

Comments

Loading comments…