Skillv1.0.0

ClawScan security

Image Processor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 28, 2026, 10:05 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files and runtime instructions match its stated purpose (local image processing) and it does not request credentials or network access; issues are implementation bugs and a missing explicit dependency note rather than malicious behavior.
Guidance: This skill appears to do what it says: local image processing via the included Python script. Before using it for large/batch jobs: (1) Install Pillow (pip install pillow) — SKILL.md examples assume full functionality but don't explicitly show this. (2) Review and test on a small set of non-sensitive images: the script has a few implementation bugs (crop parsing uses an incorrect split, some dimension/zero-handling logic and reuse of args in batch mode can behave unexpectedly). (3) Because it operates on local files, run it in a working directory where you can safely overwrite or inspect outputs (or run on copies). There is no network activity or credential use in the code. If you plan to run large batches, consider fixing the small bugs or using a well-maintained image tool/library instead.

Purpose & Capability: okName/description (image resize/convert/compress) aligns with the provided script and SKILL.md examples. The included script implements resize, crop, thumbnail, format conversion, blur, grayscale, rotation, and batch processing — all consistent with the description.
Instruction Scope: noteSKILL.md shows only local usage of the bundled script (python scripts/process.py ...). It does not instruct reading unrelated system files, contacting external endpoints, or accessing secrets. Minor issue: SKILL.md/Quick Start examples omit an explicit instruction to install the Pillow dependency (the script's docstring references it), so users may encounter an ImportError if Pillow is not installed.
Install Mechanism: okNo install spec is present and the skill is instruction-only with an included Python script. No downloads or external install steps are executed by the skill itself. The only runtime dependency is Pillow, which must be installed by the user; this is low-risk.
Credentials: okThe skill requests no environment variables, no credentials, and no config paths. The script operates on local files provided by the user and does not attempt to read other environment data or secrets.
Persistence & Privilege: okThe skill is not always-enabled and uses normal model-invocation defaults. It does not modify other skills or system-wide settings and does not request elevated/persistent privileges.