TIFF Merge & Split
AdvisoryAudited by VirusTotal on Apr 14, 2026.
Overview
Type: OpenClaw Skill Name: tiff-merge Version: 1.0.1 The skill provides local TIFF image merging and splitting functionality using the legitimate 'utif' library. Analysis of 'index.js' and 'SKILL.md' shows the code performs standard file system operations (fs.readFileSync, fs.writeFileSync) consistent with its stated purpose, with no evidence of data exfiltration, malicious execution, or prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can read selected local image/TIFF files and create or overwrite output files at the chosen path.
The skill reads local input paths and writes a local output path supplied through the CLI. This is expected for TIFF processing, but it is still local file access that users should direct carefully.
const imageBuffer = fs.readFileSync(imagePath); ... fs.writeFileSync(outputPath, tiffBuffer);
Use explicit input and output paths, avoid protected or important locations unless intended, and keep backups if overwriting existing files.
Installing or running the skill may require the external 'utif' package, so dependency integrity matters.
The skill depends on an external npm package and does not pin a version in the shown artifact. The dependency is purpose-aligned, but users rely on npm package provenance.
install:
- kind: npm
package: utifInstall from trusted sources, consider pinning/reviewing the dependency version, and verify the installed package if using this in sensitive workflows.
Users may expect generated image files that the current implementation may not actually create.
The documentation describes splitting TIFFs into PNG/JPG images, but the code comments indicate the conversion is not fully implemented and the split function only records output filenames.
// 简化实现:保存为原始数据 // 实际需要使用 sharp 或 canvas 库转换为图片格式
Verify outputs after splitting and treat the documented JPG/PNG split support as incomplete unless the implementation is updated.