批量图像处理工具

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This image-processing skill matches its purpose, but its scripts build shell commands from file names and options, so a crafted path or parameter could run unintended commands on your computer.

Review or patch the scripts before installing. If you still use it, process only trusted image folders and filenames, avoid untrusted parameters, and verify the separate cli-anything-imutils installation source.

Static analysis

Dangerous exec

Critical

Finding: Shell command execution detected (child_process).

Dangerous exec

Critical

Finding: Shell command execution detected (child_process).

Dangerous exec

Critical

Finding: Shell command execution detected (child_process).

Dangerous exec

Critical

Finding: Shell command execution detected (child_process).

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI05: Unexpected Code Execution

High

What this means

A malicious filename, folder path, or option value could break out of the intended image command and execute arbitrary local shell commands when the agent runs the tool.

Why it was flagged

User-supplied input, output, width, height, and interpolation values are concatenated into a shell command string and executed. The same pattern appears in the rotate, skeleton, and translate scripts.

Skill content

let cmd = `cli-anything-imutils resize "${input}" "${output}"`; ... cmd += ` --width ${width}`; ... const result = execSync(cmd, { encoding: 'utf-8' });

Recommendation

Use only trusted paths and parameters until the maintainer replaces execSync shell strings with execFileSync or spawn using argument arrays, validates numeric/options values, and safely handles paths.

#ASI04: Agentic Supply Chain Vulnerabilities

Low

What this means

If the external cli-anything-imutils installation is missing, modified, or from an untrusted source, the skill may fail or run code the user did not review.

Why it was flagged

The skill relies on a separate editable Python CLI install outside the scanned package, so the behavior also depends on local code that is not included in these artifacts.

Skill content

cd E:\AI-Tools\CLI-Anything\CLI-Anything\imutils\agent-harness
pip install -e .

Recommendation

Install the external CLI only from a trusted, pinned source and have the skill declare required binaries/dependencies explicitly.