ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Main Image Editor

Orchestrate screenshot + Chinese instruction into PSD batch edits with transaction rollback by reusing psd-automator.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 44 · 1 current installs · 1 all-time installs
by@dhrxy
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description claim: parse screenshot + Chinese instruction into PSD edits and orchestrate psd-automator — the code implements intent parsing (Chinese text + OCR), builds psd-automator task JSON, runs the local psd-automator runner, and performs transactional backups/rollback. Required binaries (tesseract, swift, node) and file I/O are coherent with the purpose.
Instruction Scope
Instructions and code operate on local files (expanding ~, resolving absolute paths, checking existence), run local OCR (tesseract or macOS Vision via swift), spawn node subprocesses to run psd-automator, write temp JSON files to the OS temp dir, copy PSDs to create backups, and remove temporary outputs. These are expected for this task, but note the skill can read and modify arbitrary PSD files that it resolves (including files anywhere the user points the index or exact paths at), and it executes local commands — so users should only run it in environments where those file writes and external commands are acceptable.
Install Mechanism
No install spec; skill is code + scripts that run with node. No downloads or remote installation steps are present in the manifest, so there is no installer-based risk.
Credentials
The skill declares no required environment variables or credentials. It uses no network endpoints or external tokens. It does rely on system binaries (node, tesseract, optionally swift) and the local psd-automator code; these are proportionate to the stated functionality.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request persistent elevated privileges or modify other skills' configs. It creates backups and temporary files for transaction safety, which is normal for its purpose.
Assessment
This skill is coherent with its stated purpose, but it performs local file I/O and runs local binaries (node, tesseract, and on macOS swift). Before using: 1) ensure you have a trusted local copy of the psd-automator dependency referenced (../../psd-automator); if psd-automator is absent the skill will fail. 2) Run with --dry-run first and test against non-sensitive PSDs to verify behavior. 3) Be aware it will copy/overwrite PSD files and create .txn-bak backups in the same directory — review those backups and cleanup policy. 4) Only give it request/index paths that point to directories/files you want modified. 5) If you require stronger isolation, run it in a sandboxed environment or VM. If you'd like, I can highlight the exact code locations that perform backups, temp-file writes, OCR subprocess spawning, and psd-automator invocation.
lib/intent-parser.js:41
Shell command execution detected (child_process).
lib/task-orchestrator.js:33
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk9745j1hpprdbgprgatm4n7rc58317aj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

main-image-editor

Orchestration layer for "main image modification" workflows:

  1. Parse screenshot + Chinese instruction into structured edit tasks.
  2. Convert tasks into psd-automator task JSON.
  3. Execute serially with transaction rollback (rollback all on any failure).
  4. Reuse psd-automator export + bundle output.

Usage

node skills/main-image-editor/scripts/run-main-image-editor.js \
  --request skills/main-image-editor/examples/request.sample.json \
  --index ~/.openclaw/psd-index.json

Dry-run or force execute:

node skills/main-image-editor/scripts/run-main-image-editor.js \
  --request skills/main-image-editor/examples/request.sample.json \
  --dry-run

node skills/main-image-editor/scripts/run-main-image-editor.js \
  --request skills/main-image-editor/examples/request.sample.json \
  --force

Request payload

request JSON supports:

  • text: Chinese requirement text
  • screenshotPath: screenshot path (used for match + audit)
  • confidenceThreshold: optional (default 0.8)
  • tasks: optional pre-parsed tasks (skip regex parsing when provided)
  • execution: optional runtime controls (indexPath, dryRun, force)

When fileHint is missing, parser will try to extract .psd/.psb filename from:

  1. request text
  2. OCR text from screenshotPath (local tesseract command or macOS Vision OCR fallback)

Failure policy

  • Default policy is rollback_all.
  • Any single PSD failure restores all touched PSD files from transaction backups.
  • Temporary outputs generated in the failed run are cleaned up before returning.

Files

9 total
Select a file
Select a file to preview.

Comments

Loading comments…