Back to skill
Skillv1.0.0
ClawScan security
Image Handler · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 7, 2026, 4:00 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files and runtime instructions are coherent with an image-processing utility: it manipulates local image files using sips/ffmpeg and does not request credentials, network access, or other unrelated privileges.
- Guidance
- This skill appears to do only local image processing and does not request secrets or network access. Before installing: 1) Confirm you have the needed tools (sips is macOS-only; ffmpeg is optional for WebP/HEIC/animated GIFs). 2) Review and run the scripts on non-sensitive test images first — image-processing binaries like ffmpeg/sips have historically had vulnerabilities, so avoid processing untrusted images on high-privilege hosts. 3) The SKILL.md examples reference a developer's ~/Dropbox path but the scripts themselves use relative/input arguments — you can move or invoke them from anywhere. If you need the skill to operate on remote images or to upload results, verify those steps separately because this skill does not implement network transfer or authentication.
Review Dimensions
- Purpose & Capability
- okName/description (image read/convert/resize/etc.) matches the included scripts and SKILL.md examples. The scripts perform local file conversions, metadata extraction, and batch processing as advertised.
- Instruction Scope
- noteInstructions and scripts operate on local image files and reference only local commands (sips, ffmpeg, standard shell tools). Minor issues: SKILL.md includes example invocation paths rooted at ~/Dropbox/jarvis/skills/... which are just usage examples and not required by the scripts; SKILL.md references sips/ffmpeg but required-binaries metadata is empty (see install_mechanism). There are no instructions to read unrelated system files, transmit data externally, or access credentials.
- Install Mechanism
- okNo install spec (instruction-only plus bundled scripts). This is the lowest-risk install model. The scripts will be written to disk when the skill is installed, which is expected. There are no downloads from arbitrary URLs or archive extraction steps.
- Credentials
- noteThe skill declares no required environment variables or credentials, which is appropriate. One small inconsistency: SKILL.md expects sips (macOS) and optionally ffmpeg to be available, but the registry metadata does not list required binaries—users should ensure those tools are present for full functionality.
- Persistence & Privilege
- okThe skill does not request always:true, does not modify other skills or global agent configs, and does not store credentials. It runs only when invoked.