Product Image Archiver
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill mostly matches its image-archiving purpose, but its infringement-risk checks are overstated and its link handling is too loose, so it should be reviewed before use.
Only use this with trusted product links and do not rely on its infringement-risk labels as proof that images are safe to publish. Review the publisher/version mismatch, install dependencies in an isolated environment, and avoid adding API keys unless you understand how they will be used.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You could trust a “no risk” or completed risk report even though the images were not actually checked for logos, portraits, or watermarks.
The skill advertises Baidu AI logo/face/watermark infringement checks, but this code marks Baidu detection as completed while the actual API call is not implemented.
# TODO: 实现百度 AI API 调用 # 这里预留接口 result['details']['baidu_ai'] = '已检测'
Do not rely on the infringement labels until real detection is implemented; the skill should report this feature as unavailable or inconclusive instead of implying successful checks.
If an untrusted or malformed link is provided, the skill may fetch pages or image URLs outside the intended product sites.
The supported-site check is a substring match rather than a parsed hostname allowlist; a crafted URL containing this text could still point the downloader at an unintended host.
if 'wsy.com' in url:
source = WSYSource()
elif '1688.com' in url:
source = Source1688()Use strict URL parsing, require HTTPS, allow only known wsy.com/1688.com hostnames, and reject localhost/private-network destinations before fetching or downloading.
It may be harder to confirm exactly who packaged this skill and which version is being reviewed or installed.
The bundled metadata differs from the provided registry metadata, which lists a different owner ID and version 1.0.1; with unknown source/homepage, this creates provenance and version-lineage ambiguity.
"ownerId": "kn70pywhg0fyz996kpa8xj89s57yhv26", "version": "1.0.0"
Verify the publisher and version before installation, and prefer a signed or clearly sourced release with consistent metadata.
If you add provider keys to a local .env file, those credentials become available to this skill’s process and should be treated as sensitive.
The documentation asks users to configure optional Baidu AI credentials/configuration even though registry metadata declares no required environment variables.
编辑 .env 文件(如使用百度 AI 侵权检测)
Use dedicated low-privilege API keys, keep the .env file private, and update the skill metadata to declare optional credential requirements clearly.