Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Smart Image Finder
v1.0.4Smart image search and download tool for AI agents. Three methods: news website extraction, Brave image search, AI generation. Use cases: article illustratio...
⭐ 0· 52·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (image search/download via news extraction, Brave search, AI generation) align with the included README, SKILL.md examples, and two shell scripts. The provided patterns and download/verify workflows are consistent with the stated purpose.
Instruction Scope
SKILL.md instructs the agent to fetch arbitrary webpages and call external image APIs (Brave, Pollinations) and to download files via curl. Those actions are within the skill's scope, but the docs explicitly show using an environment variable BRAVE_API_KEY (and rely on CLI tools like jq/file/identify) even though no env var is declared in the registry metadata. The instructions also suggest scraping many news sites directly; while functional, that can hit sites requiring JS/cookie/signatures (which the docs acknowledge) and may have legal/copyright implications.
Install Mechanism
No install spec; the skill is instruction-only plus two small shell scripts. There are no downloads from untrusted URLs or package installs. The scripts are plain Bash using curl/file/jq/identify — low install risk.
Credentials
Registry metadata lists no required environment variables, but SKILL.md and README examples use BRAVE_API_KEY for Brave image search. This mismatch is an incoherence: if users intend to use the Brave method they must provide a secret not declared by the skill. No other secrets are requested, which is proportionate to purpose, but the missing declaration reduces transparency.
Persistence & Privilege
The skill is not always-enabled and does not request persistent privileges or system-wide configuration changes. It merely runs CLI commands and downloads images; autonomous invocation is allowed by default (platform normal) but not combined with other high-risk flags.
What to consider before installing
Things to consider before installing:
- Transparency: SKILL.md shows using a BRAVE_API_KEY for the Brave image-search examples, but the registry metadata does not declare this required env var — ask the publisher to add BRAVE_API_KEY to requires.env so it’s explicit.
- Network & secrets: the skill performs arbitrary HTTP requests (curl) and will download remote files. Only provide the Brave API key if you trust the skill and the agent environment; do not reuse high-privilege credentials.
- Legal/copyright: the skill scrapes news sites and downloads images. Confirm you have the right to use downloaded images for your intended purpose.
- Operational: the scripts require curl, grep, jq, file, and optionally ImageMagick (identify). Ensure those tools are available in the agent runtime.
- If you need higher assurance: ask for the publisher contact or source repo, request that required env vars be declared, and review any agent logs for unexpected outbound requests when the skill runs.
Given the single clear incoherence (undeclared BRAVE_API_KEY) and otherwise straightforward scripts, the skill may be legitimate but warrants caution and clarification before trusting with credentials or production use.Like a lobster shell, security has layers — review code before you run it.
latestvk97fz7v4azd37dnt7c3cj379bn83q9dz
License
MIT-0
Free to use, modify, and redistribute. No attribution required.