ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

TIFF Merge & Split

v1.0.1

合并图片为 TIFF 或拆分 TIFF 为单张图片(本地处理,隐私安全)

0· 35·0 current·0 all-time
by@fly3094
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (merge/split TIFF locally) matches the presence of Node code and the UTIF dependency referenced in SKILL.md. However, the skill repeatedly claims support for JPG/PNG input and for writing PNG/JPG outputs, but the code lacks any real JPG/PNG decoding or encoding (loadImage simply returns the raw buffer; decodeImage uses UTIF.decode which only handles TIFF). That means the advertised cross-format support is overstated and the implementation is incomplete.
!
Instruction Scope
SKILL.md instructs local usage and includes an install line for the npm package 'utif'. The runtime index.js operates only on local files and does not perform network calls or read environment variables (good). But the split implementation does not actually write out image files — it only logs/collects names (comment notes 'simplified implementation'); merge assumes images can be decoded with UTIF. These gaps are scope/instruction mismatches: the user-facing docs/README promise features that the code does not fully implement.
Install Mechanism
The registry metadata indicated 'No install spec', but SKILL.md contains an install entry requesting the npm package 'utif'. Using an npm package from the public registry is a low-to-moderate risk mechanism and is expected for this functionality. The inconsistency between registry install metadata and SKILL.md (missing declared install spec) is a packaging/metadata issue that should be fixed.
Credentials
The skill requests no environment variables or credentials and only requires the 'node' binary. This is proportional to a local, CLI-based image tool.
Persistence & Privilege
always is false, user-invocable is true, and disable-model-invocation is false (normal). The skill does not request persistent system privileges or attempt to modify other skills or system-wide settings.
What to consider before installing
This skill is not showing signs of data exfiltration or secret access, but it contains inconsistencies you should address before using it on important files: (1) The README and SKILL.md claim JPG/PNG input and PNG/JPG output support, but the code lacks the image decoding/encoding logic (split mode doesn't actually write files). (2) SKILL.md references installing the npm 'utif' package even though the registry metadata doesn't declare an install step. Recommended actions: run the code in a sandbox or disposable container, inspect and/or run npm install utif locally, test with non-sensitive sample files to confirm behavior, and ask the author to fix the implementation or provide a clear install spec (ideally add a proper image library like 'sharp' or canvas for JPG/PNG handling and make split actually write output files). If you need fully working JPG/PNG ↔ TIFF support, prefer a package whose code and documentation clearly match.

Like a lobster shell, security has layers — review code before you run it.

latestvk9745rbtz3xrn50fv00kwqe6r184tf77

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🖼️ Clawdis
Binsnode

Comments