ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Photo Editor Pro

v1.0.0

Photo Editor Pro offers AI-enhanced editing, background removal, color grading, batch processing, and format conversion for professional image workflows.

0· 54·0 current·0 all-time
by@larios613-hub
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description imply automated AI processing (background removal, batch processing, format conversion), but there is no code, no required binaries, and no concrete runtime commands or libraries. It's unclear how the agent is expected to perform these operations; this mismatch suggests either an incomplete skill or an assumption the agent will access arbitrary external tools or user resources to fulfill the promises.
!
Instruction Scope
SKILL.md is largely marketing and high-level feature lists rather than precise runtime instructions. It references using the file system, browser screenshots, cloud storage and social APIs but does not specify which endpoints, what credentials are needed, or what exact files/paths should be touched — granting broad discretion to the agent to read/write local files or connect to external services.
Install Mechanism
No install spec and no code files — lowest-risk in terms of writing executables to disk. However, being instruction-only increases ambiguity about how capabilities will actually be implemented at runtime.
!
Credentials
The skill lists integrations (Google Drive, Dropbox, Social APIs) but requires no environment variables or API credentials. That omission is inconsistent: cloud/social uploads normally require API keys or OAuth tokens. The lack of declared credentials either means the skill assumes ad-hoc access to the user's environment (risky) or is simply incomplete.
Persistence & Privilege
always is false and the skill is user-invocable. It does not request persistent/system-wide privileges or modifications to other skills' configs.
What to consider before installing
This skill looks incomplete and ambiguous rather than outright malicious, but that makes it risky to run. Before installing: ask the author for implementation details (how edits are performed, which binaries/libraries or remote APIs are used, and what credentials are required); prefer skills that list required env vars or OAuth flows for cloud integrations; avoid granting the agent broad filesystem or cloud access until you can verify it only touches the image files you explicitly choose; verify the publisher (homepage, repo, or contact) and prefer skills with explicit runtime commands or packaged code you can audit. If you must test it, run it in a sandboxed agent environment and do not point it at sensitive folders or account credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk976vvg5944c5011vpm4y1gves83vx61

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments