Photos
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: photos Version: 1.0.0 The skill bundle is classified as benign. The `SKILL.md` instructions consistently emphasize non-destructive operations, such as moving files to a trash folder instead of deleting, never overwriting originals, and requiring user review for bulk actions. It leverages standard tools like `exiftool`, `sips`, `heif-convert`, and `ls` for legitimate photo management tasks (indexing, metadata handling, conversion, file system checks). There is no evidence of data exfiltration, malicious execution, persistence mechanisms, or prompt injection attempts against the OpenClaw agent. The instructions are transparent and align with the stated purpose of organizing and searching local photo libraries.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A local searchable index could reveal where photos were taken, what they contain, and how they are tagged even after the user stops actively using the skill.
The skill instructs the agent to persist sensitive photo-derived data, including locations, descriptions, and tags, and to keep vision analysis results permanently.
Index fields: `hash`, `path`, `date_taken`, `camera`, `gps`, `description`, `tags`, `indexed_at` ... Cache vision results permanently in sidecar JSON
Use this only on photo folders you intentionally select, review the `.photo-index/` contents, and provide a clear way to delete or rebuild the index.
Precise photo locations could be shared outside the local machine depending on how reverse geocoding is implemented.
Reverse geocoding may require sending photo GPS coordinates to an external geocoding service, but the artifact does not name the service or describe data-boundary controls.
By location: Reverse geocode GPS once, store city/country in sidecar for text search
Ask which geocoding service will be used and approve any location lookup before sending GPS data externally.
Photo metadata could be changed if the agent runs the command on originals rather than reviewed copies.
The documented EXIF command can modify photo metadata; this is purpose-aligned, but it should be done only with explicit user approval and preferably on copies or with backups.
Write date: `exiftool -DateTimeOriginal="2024:03:15 14:30:00" photo.jpg`
Require confirmation before metadata writes and verify that originals are backed up or edits are made on copies.