Mixtiles It
PassAudited by ClawScan on May 10, 2026.
Overview
This skill appears to do what it says, but it uploads the user-selected photo to public third-party hosting before creating the Mixtiles link.
Before installing, be aware that the skill uploads the chosen photo to Cloudinary and then creates a Mixtiles link from that hosted image. Use it only with images you are comfortable sending to third-party services, confirm the exact file or URL being processed, and only configure the optional fallback upload endpoint/key if you trust that endpoint.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Photos used with this skill may be accessible through third-party hosted URLs and processed by Cloudinary and Mixtiles.
The skill discloses that user-selected local photos are uploaded to Cloudinary before generating the Mixtiles link. This is central to the skill's purpose, but it means private photos leave the local environment and become externally hosted.
- **Local files**: Uploads to Cloudinary (the only host Mixtiles can display from)
Use it only for photos you are comfortable uploading to those services, and consider configuring your own Cloudinary account or upload preset if privacy and deletion control matter.
If the wrong path or URL is supplied, an unintended file or image could be uploaded.
The command accepts arbitrary user-provided local paths or public URLs and uploads the resolved file. This is expected for the purpose, and the code includes internal-host URL blocking, but the agent still needs to pass the intended attachment or URL.
parser.add_argument("image", nargs="?", help="Local file path or public URL (single-photo mode)")Confirm the exact image or URL before running the script, especially for batch uploads or files in private folders.
The skill may fail if `curl` is unavailable, and users are relying on the local environment's `curl` binary.
The script depends on the local `curl` executable, while the registry metadata reports no required binaries. The command is fixed and purpose-aligned, but the runtime dependency is not declared.
subprocess.run(["curl", "-sf", "-F", f"file=@{file_path}",Declare `curl` as a required binary or replace it with Python-native HTTP upload code.
If configured, the API key is sent to the selected fallback upload endpoint.
The skill supports an optional fallback API key for a custom upload endpoint. This is documented and not hardcoded, but it is an optional credential path that is not represented in registry credential metadata.
parser.add_argument("--upload-key", default=os.environ.get("MIXTILES_UPLOAD_KEY", DEFAULT_UPLOAD_KEY))Only set `MIXTILES_UPLOAD_URL` and `MIXTILES_UPLOAD_KEY` for an endpoint you trust, and avoid placing shared secrets in broadly accessible environments.