pexels-image-downloader
v1.0.0使用Pexels API搜索和下载高质量免费图片,支持自动调整尺寸和格式验证
⭐ 0· 280·2 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The code (download_pexels.py) and SKILL.md implement a Pexels downloader that legitimately needs a PEXELS_API_KEY. However the registry metadata/requirements section claims 'Required env vars: none' and 'Primary credential: none' — that contradicts the documented need for an API key. SKILL.md also lists many project files (config/, scripts/, examples/, docs/) that are not present in the package manifest, which is inconsistent.
Instruction Scope
The instructions and the included Python script stay within the downloader scope (search Pexels API, download, resize, save metadata). They do instruct the agent/user to read the PEXELS_API_KEY environment variable and write files to an output directory (expected). The concern is that the runtime instructions reference environment configuration and auxiliary files that are not declared in the registry metadata or provided in the package (missing config/, scripts/, examples/), which could cause unexpected behavior or confusion.
Install Mechanism
There is no formal install spec in the registry (instruction-only install). The SKILL.md and package.json recommend pip install -r requirements.txt; requirements.txt is present and contains only requests and pillow. This is a low-risk install mechanism but because it's not enforced by the registry metadata, users must manually run pip; no arbitrary external downloads or obscure URLs were used.
Credentials
The code requires a single service credential (PEXELS_API_KEY) which is proportionate to the stated purpose. But the package/registry metadata does not declare that environment variable or any primary credential — that mismatch is problematic because users won't be warned about a secret requirement. No other unrelated credentials are requested.
Persistence & Privilege
The skill does not request persistent or elevated platform privileges (always:false). It does not modify other skills or system-wide configs. It writes downloaded images and metadata into the specified output directory (normal for this tool).
What to consider before installing
This package appears to implement a legitimate Pexels image downloader, but there are inconsistencies you should resolve before installing: 1) The skill requires a PEXELS_API_KEY (the script reads $PEXELS_API_KEY) but the registry metadata fails to declare this — assume you must set that env var. 2) SKILL.md lists many auxiliary files (config/, scripts/, examples/, docs/) that are not included in the manifest; verify the author/source or be prepared to supply your own configs. 3) Inspect download_pexels.py yourself (it is included) and run it in an isolated environment (virtualenv/container) after installing requirements.txt. 4) Confirm you are comfortable giving a Pexels API key to this tool and check Pexels API rate limits and terms. If you don't trust the source or need the missing files, request an updated package/metadata from the author or only run the provided script locally after manual review.Like a lobster shell, security has layers — review code before you run it.
latestvk97fhhvj706h8zs58tk1za8vv582gdkt
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📸 Clawdis