Photos
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A local searchable index could reveal where photos were taken, what they contain, and how they are tagged even after the user stops actively using the skill.
The skill instructs the agent to persist sensitive photo-derived data, including locations, descriptions, and tags, and to keep vision analysis results permanently.
Index fields: `hash`, `path`, `date_taken`, `camera`, `gps`, `description`, `tags`, `indexed_at` ... Cache vision results permanently in sidecar JSON
Use this only on photo folders you intentionally select, review the `.photo-index/` contents, and provide a clear way to delete or rebuild the index.
Precise photo locations could be shared outside the local machine depending on how reverse geocoding is implemented.
Reverse geocoding may require sending photo GPS coordinates to an external geocoding service, but the artifact does not name the service or describe data-boundary controls.
By location: Reverse geocode GPS once, store city/country in sidecar for text search
Ask which geocoding service will be used and approve any location lookup before sending GPS data externally.
Photo metadata could be changed if the agent runs the command on originals rather than reviewed copies.
The documented EXIF command can modify photo metadata; this is purpose-aligned, but it should be done only with explicit user approval and preferably on copies or with backups.
Write date: `exiftool -DateTimeOriginal="2024:03:15 14:30:00" photo.jpg`
Require confirmation before metadata writes and verify that originals are backed up or edits are made on copies.