ClawHub

Image Hosting for agents

v1.0.1

AgentImgHost REST API for uploading, listing, and deleting images. Returns direct public CDN URLs.

0· 139·0 current·0 all-time
byJacob Maldonado@jacobmaldonado
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name, description, and declared requirement (AGENTIMGHOST_API_KEY) align with the SKILL.md content which documents a REST API at agent-img.com for upload/list/delete and returning public CDN URLs. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
Instructions are focused on using the AgentImgHost REST API (curl examples, Authorization header) and on resizing images using standard local tools (sips, ImageMagick). This is within scope, but the instructions explicitly upload local files (paths like /path/to/image.png and /tmp), so an agent with this skill could upload any accessible local image — potentially exposing sensitive local content if not constrained.
Install Mechanism
No install spec and no code files — instruction-only skill. This minimizes on-disk footprint and installation risk.
Credentials
Only AGENTIMGHOST_API_KEY is required and declared as the primary credential. The SKILL.md uses a bearer token in examples and does not reference other environment variables or unrelated secrets.
Persistence & Privilege
always is false (normal). disable-model-invocation is false (agent may call the skill autonomously), which is standard — but because uploads produce publicly accessible CDN URLs, autonomous use increases the risk of inadvertent public disclosure of images. Consider limiting autonomous invocation or using scoped/rotating tokens.
Assessment
This instruction-only skill appears coherent for an image-hosting integration. Before installing: (1) only provide an API key scoped to the minimum needed (if the service supports scoped or read-only tokens); avoid giving a token that grants account-wide or billing access. (2) Be aware the skill uploads local files and returns permanent public CDN URLs — do not allow it to run autonomously if you might have sensitive images on the host. (3) Review account settings (circular overwrite, retention/grace periods) and consider using short-lived tokens or an account dedicated to the agent. (4) If you enable autonomous invocation, add policy or prompts that prevent the agent from uploading files unless explicitly authorized by the user for that session.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b7hpf7jpda143teb8c0jyyh83af1d

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🖼️ Clawdis
EnvAGENTIMGHOST_API_KEY
Primary envAGENTIMGHOST_API_KEY

Comments