Skillv1.0.0

ClawScan security

PhotoPlus Album Downloader · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 25, 2026, 3:41 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to do what it says (download PhotoPlus albums) but it fetches and executes upstream Python code from the network (GitHub main/raw) and can install pip packages without pinning — this remote execution risk is disproportionate unless the user trusts the upstream project or pins a commit.
Guidance: This skill is functionally coherent but executes code fetched from the network (GitHub main/raw) and may install Python packages. Before installing or running it: (1) review the upstream repository (or bundle) and prefer a pinned commit; (2) run the wrapper in a sandbox or VM; (3) use --dry-run and --repo-dir pointing to a vetted local clone instead of letting it auto-download; (4) avoid --install-deps in sensitive environments — instead inspect requirements.txt and install dependencies from a trusted source; and (5) be aware it will write output to ./PhotoPlus and create a .codex cache directory in the working directory.

Review Dimensions

Purpose & Capability: okName, description, SKILL.md, wrapper script, and upstream notes all align: the skill downloads PhotoPlus live albums and exposes relevant flags. Required binary (python3) matches the stated purpose; no unrelated credentials or config paths are requested.
Instruction Scope: concernRuntime instructions include cloning or downloading the upstream script from GitHub and then executing it. The SKILL.md and wrapper explicitly allow installing dependencies and running the upstream script; they do not require reading unrelated system files, but they do instruct the agent/operator to fetch and run remote code. The wrapper creates a local cache directory (.codex) and writes output under ./PhotoPlus, which is expected but should be noted.
Install Mechanism: concernThere is no packaged install spec (instruction-only), but the included wrapper will: (1) attempt a shallow git clone of the upstream repo or (2) download a raw script from raw.githubusercontent.com (main branch), and then execute it. Downloading and executing unpinned code from the main branch and running pip install (possibly from a requirements file) is a higher-risk pattern because the fetched code can change after skill publication. The hosts used (github.com, raw.githubusercontent.com, PyPI) are well-known, which mitigates some risk, but the lack of pinning is the main concern.
Credentials: okThe skill requests no environment variables or credentials. The ability to install dependencies uses pip and network access, which is proportional to the claimed functionality but represents an escalation of runtime privileges (network + package install).
Persistence & Privilege: okalways is false and the skill does not request to be always-present. It creates local files/directories (.codex and ./PhotoPlus) in the working directory but does not modify other skills or system-wide agent configuration.