Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Image Fetch Toolkit
v1.0.0Search and fetch images from the internet for any purpose - paper figures, news photos, stock images, product photos, scientific illustrations, social media...
⭐ 0· 63·0 current·0 all-time
byHaoming Yan@newtontech
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description (searching and fetching images) matches the instructions: it documents Unsplash, Pexels, Pixabay, Flickr, Google/Bing image APIs and academic/image-extraction workflows. That capability legitimately requires network access and API keys for those services.
Instruction Scope
SKILL.md explicitly contains curl examples and many env-var placeholders (e.g., $UNSPLASH_ACCESS_KEY, $PEXELS_API_KEY, $PIXABAY_API_KEY, $FLICKR_API_KEY, $GOOGLE_API_KEY, $GOOGLE_CX, $BING_API_KEY) and calls to local tooling (e.g., node ~/.openclaw/workspace/skills/tavily-search/scripts/extract.mjs). The instructions therefore assume access to network services and to local workspace files and recommend installing other skills/tools. The skill does not limit or document when/what to read from local paths, which could lead to reading user workspace files unexpectedly.
Install Mechanism
There is no install spec (instruction-only), so nothing will be written to disk by the registry install itself. However, the instructions suggest running external installers (npx skills add, uv tool install) and running local node scripts; following those recommendations would fetch and execute third-party code. The skill does not ship code, but it guides the agent to install external components at runtime.
Credentials
The registry metadata declares no required environment variables or credentials, yet SKILL.md relies on many service API keys and env-var names. While those keys are relevant to image searching, omitting them from declared requirements is an incoherence: a user cannot audit what secrets the skill needs ahead of time. The number of distinct API keys referenced is large but aligned with the described sources (stock sites, search APIs).
Persistence & Privilege
No elevated persistence requested (always:false). The skill can be invoked autonomously (disable-model-invocation:false), which is the platform default; combined with the other concerns this increases blast radius, but autonomy alone is expected.
What to consider before installing
This skill appears to do what it claims (fetch images) but its SKILL.md references many API keys and a local script path while the registry lists no required env vars — that's an inconsistency you should resolve before installing. Actionable steps: 1) Ask the publisher to update the metadata to explicitly list every API key/credential the skill needs (and why). 2) Verify whether the skill or its recommended helper tools will read local files (the Tavily path references ~/.openclaw/workspace) and avoid running it in an environment with sensitive files until you confirm scope. 3) If you must use it, provide minimal, scoped API keys (not broad account keys) and run in a sandboxed agent workspace. 4) Be cautious about executing the suggested installer commands (npx, uv tool install) because they will fetch third-party code; inspect those projects before running. If the publisher cannot justify the missing declarations and the local-path access, treat the package with caution or refuse installation.Like a lobster shell, security has layers — review code before you run it.
academicvk979bx9eqpy5d7rg7sxk4141x584m4a8apivk979bx9eqpy5d7rg7sxk4141x584m4a8imagevk979bx9eqpy5d7rg7sxk4141x584m4a8latestvk979bx9eqpy5d7rg7sxk4141x584m4a8newsvk979bx9eqpy5d7rg7sxk4141x584m4a8papervk979bx9eqpy5d7rg7sxk4141x584m4a8photosvk979bx9eqpy5d7rg7sxk4141x584m4a8searchvk979bx9eqpy5d7rg7sxk4141x584m4a8stockvk979bx9eqpy5d7rg7sxk4141x584m4a8
License
MIT-0
Free to use, modify, and redistribute. No attribution required.