ClawHub
Back to skill
v1.0.4

Image

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:31 AM.

Analysis

This instruction-only image skill is coherent and benign, though users should be careful with optional command examples that can overwrite files or run registry packages.

GuidanceThis skill appears safe to install as image-processing guidance. Before running any example commands, work on copies, review batch and overwrite flags carefully, and treat npx examples as external code execution.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
commands.md
mogrify -resize 1920x1080\> *.jpg ... exiftool -all= -overwrite_original input.jpg

These examples can batch-modify images or overwrite metadata in local files. This is expected for an image-processing command reference, and the same file advises users to spot-check files and prefer writing outputs to a new path.

User impactIf copied without care, these commands could alter or overwrite original image files or remove metadata.
RecommendationRun commands on copies first, spot-check one file before batch processing, and prefer output paths that preserve the original asset.
Unexpected Code Execution
SeverityLowConfidenceHighStatusNote
commands.md
npx svgo input.svg -o output.svg ... Treat `npx` examples as remote-code execution from the package registry and use them only in trusted environments.

The command examples include npx-based tooling, which can execute package-registry code. The artifact explicitly discloses this risk and frames the commands as examples for users who need concrete commands.

User impactRunning the npx examples would trust external package code in the user's environment.
RecommendationUse trusted packages, consider pinned versions or local installations, and avoid running npx commands in sensitive directories or untrusted environments.