ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Easyimage uploader

v1.0.0

Upload local image files to an EasyImages 2.0 service and return the hosted image URL. Use when the user asks to upload an image, host a picture, put a local...

0· 60·0 current·0 all-time
by@fm7077

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for fm7077/easyimage-uploader-py.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Easyimage uploader" (fm7077/easyimage-uploader-py) from ClawHub.
Skill page: https://clawhub.ai/fm7077/easyimage-uploader-py
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install easyimage-uploader-py

ClawHub CLI

Package manager switcher

npx clawhub@latest install easyimage-uploader-py
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, README, references, SKILL.md, and the bundled Python uploader are coherent: all implement uploading a local image to an EasyImages 2.0 server. The requested capabilities (token and server via CLI/config/env) are reasonable for the stated purpose.
Instruction Scope
SKILL.md limits actions to local-file uploads and explicitly warns about not echoing tokens and not exposing delete URLs. The bundled script follows the main upload flow and does not print the token. However the SKILL.md claims relative paths are resolved relative to the skill root; the script resolves relative image paths relative to the current working directory (Path.cwd()), so path-resolution behavior is different than the documentation. Also, the script includes the server endpoint, the path to the config file, and the server response (raw) in its JSON output, which can expose local paths and server-provided payloads (including delete URLs returned by the upstream API). The SKILL.md instructs the agent not to reveal delete URLs unless requested, but the script includes the delete URL in its printed JSON output, leaving it to the agent to honor the SKILL.md guidance.
Install Mechanism
Instruction-only skill with a small bundled script and no install spec. No external downloads or install-time code execution are required. Risk from installation is low.
Credentials
The skill does not require any environment variables by registry metadata (config is optional). The script accepts EASYIMAGE_URL / EASYIMAGE_SERVER / EASYIMAGE_BASE_URL and EASYIMAGE_TOKEN as fallbacks; SKILL.md documents EASYIMAGE_URL and EASYIMAGE_TOKEN only (minor mismatch). Requiring a single service token is proportionate to the purpose. Be aware config.json contains the token; the skill recommends not committing it and keeping permissions tight.
Persistence & Privilege
The skill does not request always:true, does not install system-wide components, and does not modify other skills. It runs a local script at invocation and has normal, limited privileges.
What to consider before installing
This skill is basically what it says: a local-image uploader to an EasyImages server. Before installing or using it, consider the following: - Review config.json and avoid putting real tokens into public repos. The script will read a local config file or environment variables for the upload token. - The uploader prints JSON that includes the endpoint, the resolved config file path, and the raw server response (including any 'del' delete URL from the server). The SKILL.md tells agents not to expose delete URLs to users unless requested, but the script still returns that value in its output. If you care about hiding delete links or local paths, modify the script to omit or redact config_path, raw response, and delete_url unless explicitly requested. - The documentation says relative paths resolve relative to the skill root, but the script resolves relative image paths relative to the current working directory. Prefer using absolute paths in commands to avoid surprises. - Confirm the environment variable names you plan to use; the script accepts additional fallbacks (EASYIMAGE_SERVER, EASYIMAGE_BASE_URL) that are not listed in SKILL.md. - The code builds the entire multipart body in memory; be cautious with very large files. If you want higher assurance: run the script locally with a test server or inspect/modify the script to remove printing of config paths and raw server responses, and to explicitly avoid returning the delete URL unless the user asks for deletion. If you need help producing a hardened variant, share your requirements and I can suggest specific changes.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fzs5hc86e7gqr6barsw6t8584zh08
60downloads
0stars
1versions
Updated 1w ago
v1.0.0
MIT-0
@fm7077
latest
Download

easyimage-uploader

Upload a local image to an EasyImages 2.0 server, then return the hosted image URL.

Configuration priority

Resolve configuration in this order:

  1. CLI flags: --server and --token
  2. Skill-local config file: config.json
  3. Environment variables fallback:
    • EASYIMAGE_URL
    • EASYIMAGE_TOKEN

Recommended setup: create config.json in the root of this skill.

Example:

{
  "server": "https://img.example.com",
  "token": "your-easyimage-token",
  "allow_model_image_input": false,
  "temp_dir": "./temp"
}

A template file is included as config.example.json.

Config fields

  • server: EasyImages service base URL
  • token: EasyImages upload token
  • allow_model_image_input: whether upload requests are allowed to rely on model-side image understanding
    • false: prefer direct file-path upload only, avoid image analysis, avoid vision tool usage
    • true: model-side image handling is allowed when needed
  • temp_dir: temp working directory for this skill
    • default recommended value: ./temp
    • relative paths are resolved relative to this SKILL.md / skill root directory
    • with the default, the effective directory is easyimage-uploader/temp/

If configuration is missing, stop and ask the user for the missing value.

Workflow

  1. Confirm which local image file should be uploaded.
  2. Read references/api.md if you need the exact upstream API shape or status meanings.
  3. Read config.json when behavior matters.
  4. If allow_model_image_input is false, do not use image analysis or vision tools just to understand image content. Treat the image as a file and upload by path only.
  5. Use temp_dir for temporary files when downloads, conversions, or intermediate storage are needed. If the directory does not exist, create it first.
  6. Prefer absolute paths for both the script and the image file. Do not rely on ~ expansion in generated commands. Safe default:
python3 /absolute/path/to/skills/easyimage-uploader/scripts/upload_easyimage.py /absolute/path/to/image
  1. If needed, point to a specific config file with an absolute path:
python3 /absolute/path/to/skills/easyimage-uploader/scripts/upload_easyimage.py /absolute/path/to/image \
  --config /absolute/path/to/config.json
  1. If needed, override with explicit CLI values:
python3 /absolute/path/to/skills/easyimage-uploader/scripts/upload_easyimage.py /absolute/path/to/image \
  --server https://img.example.com \
  --token YOUR_TOKEN
  1. The bundled script normalizes ~ and relative paths for the image and config arguments, but still prefer absolute paths in examples and real executions to avoid shell-specific surprises.
  2. Parse the JSON output.
  3. If ok is true, return the url to the user. Mention thumb only if useful.
  4. Do not expose delete_url unless the user explicitly asks for deletion capability.
  5. If upload fails, explain the likely cause using the code or error payload.

Failure handling

When the script returns a failure payload:

  • network_error: server unreachable, DNS/TLS/network problem, or timeout
  • http_error: server returned a non-2xx HTTP response
  • invalid_json: server responded unexpectedly
  • EasyImages code values should be interpreted using references/api.md

Common user-facing explanations:

  • 202: server-side upload quota reached
  • 205: current client is blocked by EasyImages allow/deny rules
  • 401: server requires login uploads instead of token-only uploads
  • 403: token invalid or signature check failed
  • 406: file type rejected

Notes

  • Use this skill for local files that already exist on disk.
  • If the user only gives a remote URL and wants it mirrored, download it first only if appropriate and allowed.
  • Prefer returning the direct image url as the main result.
  • Keep secrets safe. Never echo the configured token back to the user.
  • config.json contains secrets. Keep file permissions tight and avoid committing it to public repositories.

Comments

Loading comments...