ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Image Process

v0.1.0

Image processing tool for compression, background removal/replacement, and upscaling. Invoke when user wants to compress image, remove background, change bac...

0· 911·4 current·4 all-time
byReal@sanford284
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the included code: index.js implements compress, remove background, replace background, and upscale. Dependencies (@imgly/background-removal-node, sharp) are appropriate for the stated features. Minor metadata inconsistencies exist (package.json/package-lock/package bin name mismatch and SKILL.md references @imgly/background-removal vs @imgly/background-removal-node), but these are documentation/packaging issues rather than indicators of hidden behavior.
Instruction Scope
SKILL.md and CLI instruct the agent to read input image files and write output image files, and to call the exported functions. The code only reads/writes paths supplied by the user and calls a local background-removal library; it does not access unrelated system files, environment variables, or external HTTP endpoints in the provided files.
Install Mechanism
There is no platform install spec in the registry metadata, but the package includes package.json and package-lock.json indicating an npm install is expected. Dependencies are fetched from the public npm registry (registry.npmjs.org) which is standard; @imgly/background-removal-node and onnxruntime-node will pull native binaries. This is expected for local ML/image processing but means native binaries will be downloaded/installed at npm install time and Node >=18 is required.
Credentials
The skill does not request environment variables, credentials, or config paths. All operations are file-based and proportional to the declared purpose.
Persistence & Privilege
The skill does not request persistent platform privileges (always:false). It does not modify other skills or system configurations in the provided files. Autonomous invocation is allowed by default (normal), but that is not combined with any elevated privileges or broad credential access.
Assessment
This skill appears to be what it claims (an offline image-processing tool). Before installing, consider: (1) npm install will download native binaries (sharp, onnxruntime-node) — ensure you run this in an environment where installing native modules is acceptable and Node >=18 is available; (2) verify the @imgly/background-removal-node package source and license if you need vendor trust; (3) the package and lockfile show small metadata inconsistencies (different package/bin names in places) — these are likely packaging/documentation issues but you may want to confirm the intended CLI name and package identity; (4) the tool reads and writes any file paths you pass it — avoid giving it sensitive files/paths; (5) if you need stricter assurance, run npm install and execute the code in a sandbox or review the installed dependency tree before running on production data.

Like a lobster shell, security has layers — review code before you run it.

latestvk973njkhxj7kkqznhwpxp6f1798248k2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments