ClawHub

PhotoCHAT Photo Search

Security checks across malware telemetry and agentic risk

Overview

This is a coherent PhotoCHAT CLI search helper, but it can search local personal photos and pass returned photo paths to the agent when image-search requests are made.

Install this only if you are comfortable letting the agent search your local PhotoCHAT library and show returned photo paths or images. Verify the PhotoCHAT CLI is legitimate, and be explicit when you do or do not want local PhotoCHAT photos searched.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI01: Agent Goal Hijack
Low
What this means

A broad image-search request may search your local PhotoCHAT library rather than another image source.

Why it was flagged

The generic trigger could route an ambiguous image-finding request to local PhotoCHAT search even if the user did not explicitly say PhotoCHAT.

Skill content
Triggers include phrases like 'find me a photo of...', 'search photochat for...', 'use photochat to find...', or simply 'find me a picture of...'.
Recommendation

Use this skill only if you want generic photo/picture search requests to search PhotoCHAT, or ask explicitly for another source.

#
ASI02: Tool Misuse and Exploitation
Low
What this means

The agent may run the local PhotoCHAT command to search your photo library when the skill is invoked.

Why it was flagged

The skill instructs the agent to invoke a local CLI command. This is central to the stated purpose and is not hidden, but it is still a local tool action.

Skill content
photochat search [options] <natural language query>
Recommendation

Ensure the PhotoCHAT CLI/app alias is trusted and installed intentionally before relying on this skill.

#
ASI04: Agentic Supply Chain Vulnerabilities
Info
What this means

The skill itself has no code to install, but safety depends on the PhotoCHAT CLI already present on the system.

Why it was flagged

The registry metadata does not provide provenance or declare the external PhotoCHAT binary, even though the skill instructions depend on the `photochat` CLI.

Skill content
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill; Required binaries (all must exist): none
Recommendation

Verify that the installed PhotoCHAT app/CLI comes from a trusted source and is the expected version.

#
ASI06: Memory and Context Poisoning
Low
What this means

Personal photo paths and displayed photo content may become visible in the agent conversation context.

Why it was flagged

The skill retrieves local photo-library results and sends absolute paths, and potentially images, into the agent workflow.

Skill content
Search the user's photo library using PhotoCHAT's natural language search CLI. ... Result paths are absolute file paths; pass directly to the `image` tool
Recommendation

Avoid using the skill for photos you do not want surfaced in the session, and review results before sharing them further.