Multimedia Manager
v1.0.6Self-hosted agent to organize, search, and browse images and videos with auto-deduplication, full-text search, albums, favorites, and a responsive web gallery.
⭐ 1· 106·0 current·0 all-time
bynuoguoai@nuoguo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (local image/video vault, search, gallery) align with the provided Python scripts and CLI/web server. The skill reads a .env token, stores files in a vault directory, runs a local Flask web UI, and uses SQLite for metadata — all consistent with its purpose. One metadata mismatch: the registry metadata lists no required environment variables while SKILL.md and the code require/expect IMAGE_VAULT_TOKEN (and document IMAGE_VAULT_DIR, IMAGE_VAULT_HOST, IMAGE_VAULT_DB, PORT). This is a documentation/packaging inconsistency but not indicative of malicious behavior.
Instruction Scope
SKILL.md and the scripts are mostly explicit: setup.sh runs a one-time pip install, generates .env with IMAGE_VAULT_TOKEN, creates ~/.image-vault, and initializes the DB. The code loads .env from the skill directory and config.yaml (copied from config.example.yaml) and only accesses the vault and skill directories. cleanup_inbound.py can delete files in the inbound folder (default = IMAGE_VAULT_DIR/inbound) — this deletion behavior is documented and the script supports a --dry-run flag. Optional subprocess calls to ffmpeg/ffprobe are present for video metadata/thumbnail extraction; they are local binaries and degrade gracefully if absent. The web server exposes endpoints (including /api/file and a backup endpoint) but enforces that served files live under the vault or skill data directories and is token-protected by default. AI features are stubs in the Community edition (no calls to external AI APIs in the provided code).
Install Mechanism
There is no registry 'install spec', but the included setup.sh performs 'pip install Flask Pillow PyYAML' which requires network access to PyPI. This is a standard, limited dependency install (no remote archive downloads from unknown servers). The setup script is included in the bundle and its behavior (one-time pip install, creation of .env and vault dirs) is documented in SKILL.md and visible in the script.
Credentials
The only sensitive value is IMAGE_VAULT_TOKEN used to protect the local web UI; other env vars (vault dir, host, db path, port) control local paths/ports. The set of environment variables is proportionate to a self-hosted gallery. The earlier registry metadata omission of required env vars is inconsistent with the skill's own declarations and should be corrected by the publisher, but the variables themselves are reasonable for the stated function.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide agent settings. It creates and writes to a vault directory under the user's home and initializes an SQLite DB — expected for this application. The ability to delete inbound files is limited to a configurable inbound directory and the script documents a dry-run mode. The web server binds to localhost by default (127.0.0.1) and uses a token; ensure you do not bind it to a public interface if you want to keep it local.
Assessment
This package appears to do what it says: a local image/video vault with a token-protected web gallery. Before installing: 1) Inspect setup.sh yourself — it runs pip to install three PyPI packages (Flask, Pillow, PyYAML). If you prefer, install those packages manually instead of running setup.sh. 2) Keep IMAGE_VAULT_DIR pointed to a dedicated folder (default ~/.image-vault); don't point it at a system or shared folder you care about, because cleanup_inbound.py can delete files in the inbound subfolder (use --dry-run to verify). 3) The web UI is token-protected and binds to 127.0.0.1 by default — do not change the host to 0.0.0.0 unless you intend to expose it. 4) The registry metadata omitted the required IMAGE_VAULT_TOKEN entry; trust the skill's SKILL.md/code instead and ensure you preserve the generated token. 5) If you need absolute assurance, review the truncated/omitted functions (e.g., backup_db, delete_image) in image_db.py before running to confirm backups and deletes behave as you expect.Like a lobster shell, security has layers — review code before you run it.
latestvk97a5c7qmaabndayxf0pnvedmd832a16
License
MIT-0
Free to use, modify, and redistribute. No attribution required.