ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

yandex-image-search

v1.0.0

Reverse image search (find image source, visually similar images). Use when user provides an image and wants to find its origin, similar images, or verify au...

0· 97·0 current·0 all-time
by@johnsonsleo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md and scripts implement reverse image search (Yandex/Google/Bing) and only require reading an image and making web requests — this matches the description. However metadata is inconsistent: the top-level name is 'yandex-image-search' while _meta.json and SKILL.md use 'reverse-image-search'; owner IDs/slug differ and there's no homepage. These inconsistencies reduce provenance confidence.
Instruction Scope
Instructions are explicit: create a local venv and pip install PicImageSearch, then run scripts/search.py against a URL or local file. The script reads local files, makes network requests to search engines, and writes diagnostic HTML files to /tmp; all of those actions are coherent with reverse-image-search but mean the skill will access local files and the network and will leave files in /tmp.
!
Install Mechanism
There is no packaged install spec, but SKILL.md directs pip installing PicImageSearch and typing_extensions into a venv at runtime. That requires fetching and executing third‑party code from PyPI (network dependency and supply-chain risk). This is expected for the task but worth reviewing the PicImageSearch package before installing.
Credentials
The skill declares no environment variables, credentials, or config paths. The script does not read undeclared secrets; it only reads provided image files and network responses. Requested access appears proportionate to purpose.
Persistence & Privilege
always is false and the skill doesn't request elevated privileges. It will write debug HTML files to /tmp and create a venv under the skill directory; these are local effects and within expected scope.
What to consider before installing
This skill appears to implement what it claims, but review a few things before installing: 1) provenance: metadata and names disagree (yandex-image-search vs reverse-image-search) and no homepage is provided — prefer skills with clear source repos. 2) supply-chain: SKILL.md instructs pip install PicImageSearch — inspect the PicImageSearch PyPI project and its version history to ensure you trust it. 3) runtime behavior: the script will access local files you point it to, make network requests to search engines, and write HTML diagnostics into /tmp; run it in an isolated environment if you’re concerned. 4) operational: the code scrapes search engines and may hit CAPTCHAs or changing HTML; expect occasional failures. If you want higher assurance, ask the author for the canonical source repo (matching metadata), or request a fixed wheel/hash for the PicImageSearch dependency.

Like a lobster shell, security has layers — review code before you run it.

latestvk9700chbys5r23779kfzdpn8p983kp3w

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments