ClawHub
Back to skill
v0.1.0

Smart Image Search

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:43 AM.

Analysis

This image-search skill appears purpose-aligned, but it will send search queries to public image search engines and save downloaded images locally.

GuidanceThis skill looks safe for ordinary image searches. Before installing, be comfortable with your search terms being sent to Bing, Baidu, and Sogou, and with selected images being downloaded into a local temporary directory.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
scripts/fetch_best_image.py
with urllib.request.urlopen(req, timeout=30) as resp:
        data = resp.read()
...
out_dir = Path("/home/mumu/clawd/tmp/search-image")

The script downloads image bytes from a selected result URL and writes them to a local directory. This is purpose-aligned, but it means untrusted web content is saved locally.

User impactThe skill may place downloaded files from the web on the local system when fulfilling image requests.
RecommendationOpen downloaded images cautiously, verify sources when needed, and clean up the temporary image directory if files are no longer needed.
Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
metadata
Source: unknown
Homepage: none

The registry metadata does not provide an upstream source or homepage. This is a provenance limitation, though the provided artifacts do not show hidden install steps or unexpected dependencies.

User impactIt may be harder to verify the publisher's upstream project or maintenance history.
RecommendationReview the included files before installing and prefer a known source if provenance is important for your environment.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
scripts/search_best_image.py
url = f"https://www.bing.com/images/search?q={encoded}" ... url = f"https://image.baidu.com/search/index?tn=baiduimage&word={encoded}" ... url = f"https://pic.sogou.com/pics?query={encoded}"

The skill sends the user's search query to third-party image search providers. This is expected for the stated purpose, but query text may be visible to those providers.

User impactPrivate or sensitive image-search terms could be shared with external search engines.
RecommendationAvoid using the skill for confidential queries, and expect the listed search providers to receive the query text.