t-cpm自定义技能
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill matches its image-filtering purpose, but it should be reviewed because it defaults to permanently deleting images based on AI decisions and uploads images to a configured model API.
Install only if you are comfortable with an AI model reviewing your images and with the skill deleting files. First run it with --delete_invalid False on a copied test folder, check the results manually, verify the configured Base URL/API key, and keep backups before enabling deletion.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Images may be permanently lost if the model misclassifies them, the keyword rules are too strict, or the agent runs the default command on the wrong path.
The default mode permanently deletes files that the model classifies as not matching, with no additional confirmation or trash/recovery step.
parser.add_argument("--delete_invalid", ... default=True, help="是否自动删除不符合要求的图片,默认True") ... os.remove(img_path)Run with --delete_invalid False first, review the results, and only allow deletion on a backed-up copy or after explicit user confirmation.
A single bad rule, model failure, or overly broad folder selection could cause large batches of images to be classified and deleted.
Directory inputs are recursively expanded to all supported image files, so one broad input path can propagate model mistakes across many nested files.
for root, dirs, files in os.walk(INPUT_PATH): ... image_files.append(os.path.join(root, file))
Limit processing to a small staging directory, add exclusions or file-count limits, and require a dry-run summary before destructive actions.
The configured provider account may be billed or accessed, and the key will be sent to the configured Base URL.
The script uses a local model-provider API key from a fixed workspace configuration file. This is expected for the model integration, but it is sensitive account access.
CONFIG_PATH = "/root/.OpenClaw/workspace/conding-plan-models.json" ... API_KEY = config['API Key'][0]['key'] ... "Authorization": f"Bearer {API_KEY}"Verify the Base URL and API key in conding-plan-models.json, use a least-privileged key, and avoid running the skill with untrusted model configuration.
Private or sensitive images in the chosen path may leave the local machine and be processed by the configured model provider.
Local image contents are encoded and sent to the configured chat/completions endpoint for multimodal analysis.
img_base64 = base64.b64encode(f.read()).decode() ... session.post(f"{BASE_URL}/chat/completions", ... "image_url": {"url": f"data:image/jpeg;base64,{img_base64}"})Only process images you are comfortable sending to that provider, confirm the endpoint is trusted, and use a local/private model if the images are sensitive.