ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Baoyu Compress Image

v1.103.1

Compresses images to WebP (default) or PNG with automatic tool selection. Use when user asks to "compress image", "optimize image", "convert to webp", or red...

0· 838·41 current·42 all-time
byJim Liu 宝玉@jimliu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the included TypeScript script and SKILL.md. The anyBins requirement (bun or npx) matches the bun shebang and invocation guidance. No unrelated credentials, config paths, or binaries are requested.
Instruction Scope
Instructions and script operate on local files and may read EXTEND.md from project/user config locations to apply preferences (this is reasonable for per-user configuration). The script will rename/move files (it renames the original to *_original when --keep is false) and invokes external image tools (sips, cwebp, convert) or the sharp library; these behaviors are within scope but have direct filesystem impact (possible surprising renames/overwrites) so users should be aware.
Install Mechanism
No install spec or remote downloads are included. The skill is instruction+code only. Running it requires bun (or using npx to run bun), and sharp may be imported at runtime; those runtime dependencies are expected for a TypeScript/bun image tool.
Credentials
No environment variables or secrets are required. The only environment dependency is presence of bun or npx and optional external image binaries, which is proportional to the stated functionality.
Persistence & Privilege
The skill is user-invocable and not set to always:true. It does not request persistent system privileges or modify other skills' configurations. Its filesystem accesses are limited to inputs, outputs, and optional EXTEND.md config files.
Assessment
This skill appears to do what it says, but take these precautions before running it: - Back up images you care about. By default (keep = false) the script renames the original to filename_original and writes a compressed file — this can be surprising if you expected an untouched original. - Prefer running with --keep initially or test on a small sample directory to confirm behavior. - Ensure you trust the runtime tools: bun or npx (npx will fetch packages if bun isn't installed) and any external binaries (cwebp, convert, sips). If possible install bun locally rather than invoking via npx to avoid on-demand package fetch. - Review any EXTEND.md in your project or home config before use; the skill reads those files to apply preferences. - The script imports sharp if native tools are missing; ensure your environment can install or provide sharp safely. No network endpoints or secret exfiltration requests were found, and no unrelated credentials are required.
scripts/main.ts:32
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97059xdztctw7az287bj04e3s84r81c

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Any binbun, npx

Comments