ClawHub
Back to skill
v1.0.0

长图转小红书图片切割工具

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:47 AM.

Analysis

This appears to be a straightforward local image-cropping tool, with only expected file-processing and package-installation considerations.

GuidanceThis skill looks safe for its stated purpose. Before installing or using it, install Python dependencies from a trusted source, run it in a dedicated folder, and avoid sending confidential screenshots or design files through the AI workflow unless you are comfortable with that data handling.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
scripts/cropper.py
parser.add_argument('input', help='输入图片路径') ... parser.add_argument('-o', '--output', default='./output' ...)

The command-line tool accepts an input image path and an output directory, then writes processed image files. This is expected for the stated purpose, but it gives the tool local file read/write authority over user-specified paths.

User impactIf pointed at the wrong file or output folder, the tool may process unintended images or create files in an unintended location.
RecommendationUse a dedicated output folder and review the input/output paths before running the tool, especially in batch mode.
Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
SKILL.md
### 依赖安装
```bash
pip install Pillow
```

The skill requires a manual Python package installation. Pillow is purpose-aligned for image processing, but package installation is still a supply-chain surface users should notice.

User impactInstalling Python packages can affect the local Python environment if done globally or from an untrusted source.
RecommendationInstall dependencies in a virtual environment and use trusted package indexes; maintainers could improve this by declaring dependencies in an install spec or requirements file.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceMediumStatusNote
SKILL.md
发送原图或截图给 AI ... AI 切割后返回结果

The mobile workflow explicitly involves sending original images or screenshots to the AI and receiving processed images back. This is part of the stated workflow, but screenshots or design drafts may contain private information.

User impactPrivate document screenshots, design drafts, or other sensitive images may be shared with the AI workflow if the user provides them.
RecommendationAvoid sending confidential screenshots unless you trust the environment, or run the local Python tool directly when processing sensitive images.