ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Crop Image

v0.1.0

Use this skill when an AI agent needs to crop images through the deployed Crop Image service. Trigger this for URL-based cropping (`POST /crop`) and file-upl...

0· 226·0 current·0 all-time
byEricDoe@effimail
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the instructions: the SKILL.md shows how to call a remote cropping API by URL or file upload. However there are minor inconsistencies: the metadata/docs domains reference api.imageclaw.net/imageclaw, while the success example returns a cropped_url hosted at crop.imagebee.net — this domain mismatch could be benign (CDN/third-party storage) but is unexplained. Also the skill does not declare any authentication (API key) although many hosted APIs require one; omission is not fatal but should be clarified.
!
Instruction Scope
The instructions tell the agent to upload local files using curl -F file=@/absolute/path/to/photo.jpg which necessarily causes a local file to be sent to a third-party endpoint. That is expected for upload cropping but is a privacy/exfiltration risk if the agent is given broad file access or runs autonomously. The SKILL.md does not warn about sending sensitive images, nor does it constrain allowed paths or require user confirmation before uploading. Otherwise the steps (validate URL, width/height, handle HTTP errors) are scoped to the stated purpose.
Install Mechanism
Instruction-only skill with no install spec and no code files — nothing is written to disk and there is no external installer to review.
Credentials
The skill declares no required environment variables, credentials, or config paths, and the instructions do not reference any secrets. That aligns with the presented curl examples (no Authorization header). If the real service requires an API key, the skill is incomplete rather than over-privileged.
Persistence & Privilege
always is false and there is no install-time code that would persist or modify agent/system configuration. The skill does not request elevated or permanent presence.
What to consider before installing
This skill appears to do what it says (call a remote crop API) but take these precautions before installing or allowing autonomous use: 1) Confirm the real service domains and why the success example uses crop.imagebee.net while metadata references imageclaw — ask the maintainer or check the public docs for CDN/storage behavior. 2) Understand privacy: any local file uploaded (file=@/path/...) will be sent to an external server; do not allow this for sensitive images. 3) Confirm whether the remote API requires authentication (API key) — the skill does not declare one. 4) Test with non-sensitive sample images first. 5) If you will allow autonomous agent invocation, restrict or require explicit user confirmation before the agent uploads files to the internet. If you can get the service's official docs or an explanation for the domain mismatch and auth requirements, that will raise confidence.

Like a lobster shell, security has layers — review code before you run it.

latestvk977nys5tdj9bx44zakvy2z0nn82renw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments