Skillv1.0.0

ClawScan security

pexels-image-downloader · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 8, 2026, 3:21 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and SKILL.md match the stated Pexels downloader purpose, but the registry metadata and manifest are inconsistent (it fails to declare the required PEXELS_API_KEY and references many files that are not present); these mismatches warrant caution before installing.
Guidance: This package appears to implement a legitimate Pexels image downloader, but there are inconsistencies you should resolve before installing: 1) The skill requires a PEXELS_API_KEY (the script reads $PEXELS_API_KEY) but the registry metadata fails to declare this — assume you must set that env var. 2) SKILL.md lists many auxiliary files (config/, scripts/, examples/, docs/) that are not included in the manifest; verify the author/source or be prepared to supply your own configs. 3) Inspect download_pexels.py yourself (it is included) and run it in an isolated environment (virtualenv/container) after installing requirements.txt. 4) Confirm you are comfortable giving a Pexels API key to this tool and check Pexels API rate limits and terms. If you don't trust the source or need the missing files, request an updated package/metadata from the author or only run the provided script locally after manual review.

Review Dimensions

Purpose & Capability: concernThe code (download_pexels.py) and SKILL.md implement a Pexels downloader that legitimately needs a PEXELS_API_KEY. However the registry metadata/requirements section claims 'Required env vars: none' and 'Primary credential: none' — that contradicts the documented need for an API key. SKILL.md also lists many project files (config/, scripts/, examples/, docs/) that are not present in the package manifest, which is inconsistent.
Instruction Scope: concernThe instructions and the included Python script stay within the downloader scope (search Pexels API, download, resize, save metadata). They do instruct the agent/user to read the PEXELS_API_KEY environment variable and write files to an output directory (expected). The concern is that the runtime instructions reference environment configuration and auxiliary files that are not declared in the registry metadata or provided in the package (missing config/, scripts/, examples/), which could cause unexpected behavior or confusion.
Install Mechanism: noteThere is no formal install spec in the registry (instruction-only install). The SKILL.md and package.json recommend pip install -r requirements.txt; requirements.txt is present and contains only requests and pillow. This is a low-risk install mechanism but because it's not enforced by the registry metadata, users must manually run pip; no arbitrary external downloads or obscure URLs were used.
Credentials: concernThe code requires a single service credential (PEXELS_API_KEY) which is proportionate to the stated purpose. But the package/registry metadata does not declare that environment variable or any primary credential — that mismatch is problematic because users won't be warned about a secret requirement. No other unrelated credentials are requested.
Persistence & Privilege: okThe skill does not request persistent or elevated platform privileges (always:false). It does not modify other skills or system-wide configs. It writes downloaded images and metadata into the specified output directory (normal for this tool).