Ecdysales
v1.0.2Quick product image processing: add price sticker + watermark + logo. Use when user sends `$price:` with an image. Minimal context, runs fast.
⭐ 0· 45·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (add price sticker + watermark + logo) matches the files and required binaries (ImageMagick tools convert/identify, bc, python3). Provided scripts implement exactly that functionality (setup, run entrypoint, make-product image processor). No unrelated credentials, services, or installers are requested.
Instruction Scope
SKILL.md instructs the agent to run scripts/run.sh with a price and image only; the scripts themselves perform only local file operations and ImageMagick processing. Two cautionary points: (1) ImageMagick historically has had vulnerabilities when processing untrusted images (delegates, encoded payloads); the skill claims 'no network' but that does not eliminate ImageMagick-specific risks. (2) The scripts rely on careful quoting (SKILL.md insists on single quotes around prices). Some command-line expansions in run.sh/make-product.sh are brittle and could mishandle specially crafted price strings or filenames if the caller doesn't follow the quoting rules — SKILL.md mitigates this but the implementation is not fully hardened.
Install Mechanism
No remote download/install artifact is embedded in the registry metadata; this is primarily an instruction-and-scripts package. setup.sh can optionally install packages via the system package manager (apt/dnf/pacman/brew) — expected for this type of tool and done via standard package managers, not arbitrary URLs.
Credentials
The skill requires only local binaries and does not declare or require any secrets or config paths. It optionally reads ECDYSALES_MEDIA_DIR to locate recent images (defaulting to $HOME/Pictures/incoming) — this is reasonable for a media-focused tool but is worth noting because run.sh will search that directory by default.
Persistence & Privilege
The skill does not request permanent/always-on inclusion and does not modify other skills or global agent configuration. Output is written to a local output/ directory; there is no database or external telemetry. setup.sh can create output/ and mark scripts executable — normal install-time actions.
Assessment
This package appears to do what it says: local image processing with ImageMagick. Before installing, consider: 1) ImageMagick risk — processing attacker-crafted images can sometimes lead to code execution or unexpected behavior; only run the skill on images from trusted sources or sandbox it. 2) Quoting fragility — the scripts require callers to use single quotes around prices (e.g., '$299'); failing to follow that can change how the shell interprets the argument. If you plan to let an agent invoke this automatically, ensure the agent supplies correctly quoted arguments and that the agent's runtime isolates execution (or restricts which input folders it can read). 3) setup.sh may auto-install system packages via sudo if you run it with --install — review and approve those package manager actions. 4) The tool will look in ~/Pictures/incoming by default for the latest image; if you dislike that, set ECDYSALES_MEDIA_DIR to a safe folder. Overall: functionally coherent but apply usual caution for processing untrusted images and ensure proper quoting/agent sandboxing.Like a lobster shell, security has layers — review code before you run it.
imagemagickvk97ejgjgdchs971249w6gdg19183pkrplatestvk97ejgjgdchs971249w6gdg19183pkrpprice-stickervk97ejgjgdchs971249w6gdg19183pkrpproduct-imagesvk97ejgjgdchs971249w6gdg19183pkrpwatermarkvk97ejgjgdchs971249w6gdg19183pkrp
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binsconvert, identify, bc, python3