ClawHub
Back to skill
v0.1.2

Imgae Convert Skill

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:45 AM.

Analysis

The artifacts show a straightforward local image conversion tool, with normal caution needed for local file writes and the unpinned Pillow setup step.

GuidanceThis skill appears safe for normal image conversion. Before installing or using it, ensure Pillow is installed from a trusted source, choose clear input and output paths, and be careful with batch patterns so the agent only converts the images you intend.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
pip install Pillow

# 或使用uv
uv add Pillow

The skill depends on Pillow and asks the user to install it manually, but does not pin a version or provide an install specification.

User impactA user may install whatever current Pillow package version is available in their package environment.
RecommendationInstall Pillow from a trusted package index and consider pinning a known-good version if reproducibility matters.
Tool Misuse and Exploitation
SeverityInfoConfidenceHighStatusNote
scripts/convert.py
path.parent.mkdir(parents=True, exist_ok=True)
...
img.save(path, **save_kwargs)

The converter creates output directories and writes image files to user-supplied paths, which is expected for image conversion but can affect local files.

User impactIf the agent or user chooses the wrong output path, converted images could overwrite or create files in an unintended location.
RecommendationUse explicit output directories, avoid pointing output at important originals unless intentional, and review batch/glob paths before running conversions.