Ecdysales
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a local image-processing skill, with expected shell-script use and no evidence of hidden network access or data exfiltration.
This skill looks reasonable for local product-photo processing. Before using it, make sure the incoming image folder contains only files you intend the agent to process, and run the optional installer only if you are comfortable granting package-manager privileges. Clean the output folder periodically if the images are sensitive or storage is limited.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the incoming-media folder contains an unintended newer image, the agent could process and return the wrong local image.
When `--latest` is used, the script selects the newest image from a local directory rather than an explicit attachment path.
MEDIA_DIR="${ECDYSALES_MEDIA_DIR:-$HOME/Pictures/incoming}" ... find "$search_dir" -type f ... | sort -rn | head -1Set `ECDYSALES_MEDIA_DIR` to a dedicated attachment folder and verify the returned image, especially on shared or photo-heavy systems.
Running the installer may change system packages and require administrator privileges.
The optional setup path can install system packages with sudo when the user explicitly runs it with `--install`.
if [[ "${1:-}" == "--install" ]]; then ... sudo apt-get update -qq ... sudo apt-get install -y imagemagick bc python3Only run `./scripts/setup.sh --install` if you trust the script and are comfortable with system package changes; otherwise install the listed dependencies manually.