pexels-image-downloader

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This appears to be a straightforward Pexels image-downloading skill, with minor documentation and metadata gaps users should notice before installing.

This skill is reasonable to install if you want a Pexels image downloader. Before using it, be prepared to set a Pexels API key, do not paste or print the key in shared logs, choose an output directory you are comfortable writing files to, and verify the documented helper features you need are actually included.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI03: Identity and Privilege Abuse

Low

What this means

You will need to provide a Pexels API key for the skill to work.

Why it was flagged

The script requires a Pexels API key and sends it as an Authorization header to Pexels. This is expected for the stated integration, but it is still delegated account/API access that users should treat as a credential.

Skill content

self.api_key = api_key or os.getenv('PEXELS_API_KEY') ... self.headers = {'Authorization': self.api_key}

Recommendation

Use a Pexels key intended for this purpose, avoid sharing or logging it, and update the registry metadata to declare PEXELS_API_KEY as a required credential.

#ASI04: Agentic Supply Chain Vulnerabilities

Low

What this means

Dependency behavior may vary over time depending on what PyPI resolves during installation.

Why it was flagged

The skill installs common purpose-aligned dependencies, but the versions are not pinned exactly, so future installs may resolve to different package versions.

Skill content

requests>=2.31.0
pillow>=10.0.0

Recommendation

Pin exact dependency versions or provide a lockfile if reproducible installs are important.

#ASI09: Human-Agent Trust Exploitation

Info

What this means

Some documented commands or advertised validation features may fail or may not actually be provided by this package.

Why it was flagged

The documentation references validation helpers and other project files/options that are not included in the supplied file manifest, which could lead users or agents to rely on unavailable functionality.

Skill content

python validate_images.py \
  --dir ./downloads \
  --platform xiaohongshu

Recommendation

Align SKILL.md with the included files and implemented CLI options, or include the referenced helper scripts.