Skillv1.0.0

ClawScan security

Image Deduplicator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 5, 2026, 10:30 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill appears to implement image deduplication but its documentation and runtime instructions claim configurable similarity matching that the included script does not actually implement; otherwise there are no obvious exfiltration or credential risks.
Guidance: This skill is coherent with its stated purpose (finding and removing duplicate image files) and does not request credentials or network access. However, the documentation claims a configurable similarity threshold (e.g., 90% similarity) while the included script does not implement a similarity-distance comparison — it only groups images whose perceptual hash strings are identical. Before using destructive actions (delete/move): 1) run with --action list to review groups, 2) back up your images or test on a small subset, 3) inspect or modify the script if you need true similarity (implement Hamming-distance comparisons of phash values), and 4) ensure pillow and imagehash are installed in a controlled environment. If you rely on the threshold feature, treat the current implementation as incomplete and contact the author or modify the code to compute and compare hash distances rather than string equality.

Review Dimensions

Purpose & Capability: okName and description match the provided code and SKILL.md: the script scans folders, computes MD5 and perceptual hashes, and can list/delete/move duplicate files. The required capabilities (none) are proportionate to the task.
Instruction Scope: concernSKILL.md claims a configurable similarity threshold (e.g., 90%) for finding similar images. The script only uses the threshold to decide whether to call perceptual hashing (use_phash when threshold < 100) but then groups files by exact hash string equality. There is no comparison of Hamming distance or other similarity measure to support a numeric threshold. This is a functional mismatch: the instructions promise near-duplicate detection by threshold but the code only finds exact hash matches (or identical perceptual hash strings).
Install Mechanism: noteThere is no install spec (instruction-only install). SKILL.md recommends 'pip install pillow imagehash', which is reasonable. No remote downloads or obscure installers are used. Because the code is included, nothing is written to disk by an installer beyond normal package installation.
Credentials: okThe skill requests no environment variables, no credentials, and references only local file system paths supplied by the user. This is proportionate to an image dedupe tool.
Persistence & Privilege: okalways is false and the skill does not request persistent system privileges or modify other skill configurations. It runs as a user-invoked CLI script and performs local file operations only.