Skillv1.0.0

ClawScan security

批量图像处理工具 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 14, 2026, 12:37 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (Python/imutils-based batch image processing) mostly matches the included files, but there are several mismatches and unsafe patterns (unsanitized shell execution, developer-local install path, inconsistent CLI names and missing bundled CLI) that make the package suspicious and worth manual review before use.
Guidance: This skill appears to implement batch image operations but has several red flags: documentation points to a developer-local pip path instead of a public installer; CLI names are inconsistent across docs and code; and the Node scripts call shell commands via execSync using user-supplied paths (risk of command injection). Before installing or running: 1) Ask the author for the canonical install instructions and the public source (GitHub URL) for the 'cli-anything-imutils' CLI. 2) Verify the external CLI's code and provenance; do not pip install from unknown local paths. 3) Inspect and, if possible, run the scripts in a sandboxed environment with non-sensitive test images. 4) Consider patching the Node scripts to use child_process.spawn/execFile with argument arrays or to properly sanitize/validate filenames to eliminate shell injection risk. 5) Confirm which exact command names are expected (e.g., '/rotate-image' vs 'imutils-rotate' vs 'cli-anything-imutils rotate-cmd') and that they map to trusted binaries. If you cannot validate the external CLI source or the author-provided install steps, treat this skill as untrusted and avoid running it on systems with sensitive files.

Review Dimensions

Purpose & Capability: concernThe skill claims to be a PyImageSearch/imutils-based tool, but the repository contains Node.js wrapper scripts that call an external CLI named 'cli-anything-imutils'. No Python CLI implementation or installer is bundled. Documentation asks the user to pip install a local path (E:\AI-Tools\...) which is a developer-specific path and not a public install source. CLI names are inconsistent across files and docs (e.g., SKILL.md examples use '/rotate-image' while package.json exposes 'imutils-rotate' and scripts call 'cli-anything-imutils rotate-cmd'). These inconsistencies are unexpected for a clean skill and reduce confidence that the requested pieces align with the described purpose.
Instruction Scope: noteSKILL.md instructs the agent to run batch PowerShell loops that list and call command-line tools to operate on files — this is within the stated purpose of batch processing images. However, the doc also instructs installing a local developer path (pip install -e . from a Windows path) and uses ambiguous command names (leading slash '/rotate-image') that don't match the actual script/command names. The PowerShell examples enumerate arbitrary files in the working directory; while expected for batch tasks, they mean the skill will access file system contents broadly when invoked.
Install Mechanism: concernThere is no install spec provided. The SKILL.md asks users to pip install a CLI from a local, developer-specific path rather than a public package or repository. The skill's code relies on an external CLI ('cli-anything-imutils') that is not included here. That combination (no packaged installer + dependency on an out-of-repo CLI + developer local path) is incoherent and increases risk because it's unclear what exactly will be installed or executed on the host.
Credentials: noteThe skill does not request environment variables or credentials (good). However, the Node scripts build shell commands using user-provided file paths and pass them to child_process.execSync as a single shell command string. Paths are quoted but not otherwise sanitized; this creates a command injection risk if a malicious or malformed filename/argument is provided. No network endpoints or secrets are requested, so there is no explicit credential exfiltration, but the use of unsanitized shell execution broadens the attack surface.
Persistence & Privilege: okThe skill does not request persistent privileges (always: false). It does not modify other skills or system-wide settings. Autonomy (disable-model-invocation false) is normal and not by itself a concern, and the skill does not request 'always: true'.