Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
skill-image-compress
v0.1.0跨平台图片压缩工具,基于 sharp 实现高效压缩(节省 60-80% 体积)。支持单图/批量压缩、格式转换 (JPG/PNG/WebP/AVIF/HEIC)、画质调节、尺寸缩放。当用户需要压缩图片体积、转换格式、缩小尺寸、批量处理图片、优化图片用于微信/邮件/网页上传时使用此技能。触发词:"压缩"、"缩小"、"...
⭐ 0· 327·0 current·1 all-time
byZeroX@justzerox
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the implementation: scripts implement compression, format conversion, presets, batch/recursive processing and use the sharp dependency declared in package.json. There are no unrelated environment variables, binaries, or config paths requested.
Instruction Scope
SKILL.md and the scripts limit behavior to environment detection, installing dependencies, reading image files, and writing compressed outputs under a dedicated output dir. The code reads/writes config only under ~/.openclaw/.../image-compress and the user's Downloads output directory; it does not attempt to read unrelated system secrets or contact external endpoints in the code.
Install Mechanism
There is no formal install spec in the metadata, but install.js runs 'npm install' in the skill directory to fetch sharp and other npm deps. Using npm is expected here, but it means network activity and native builds (sharp/libvips) may run during installation — this is normal but worth noting as a supply-chain/build-time consideration.
Credentials
The skill requires no environment variables or external credentials. It only accesses the user's home directory for its own config and writes outputs to an outputDir (default in Downloads). That access is proportional to its stated purpose.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. Post-install writes a config and creates an output directory under the skill's own path and the user's home — appropriate for its function.
Assessment
This skill appears to do what it claims: local image compression via sharp. Consider these points before installing: 1) Installation runs 'npm install' and will download/build native modules (sharp/libvips), which requires network access and may invoke system build tools — expect build output and possible prompts on some platforms. 2) The skill will read and write files under your home directory (its config) and write compressed images to the configured output directory (default ~/Downloads/compressed-images) — confirm you are comfortable with that file access. 3) As with any npm-based tool, there is a supply-chain risk from dependencies; if you need higher assurance, review package.json and node_modules (or install in a sandbox/container) and verify the upstream repository. 4) No credentials or external endpoints are used by the scripts; if you see prompts to provide secrets or unexpected network endpoints during install/run, abort and inspect. If you want extra safety, run npm install manually in a sandbox first and inspect the installed packages.scripts/detect-env.js:16
Shell command execution detected (child_process).
scripts/install.js:21
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk97ceqngs0y2we0wyy1v94krd582pqzq
License
MIT-0
Free to use, modify, and redistribute. No attribution required.