ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

image-collect

v1.0.0

This skill extracts knowledge from an image and saves it locally.

0· 150·0 current·0 all-time
by@bondli

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for bondli/image-collect.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "image-collect" (bondli/image-collect) from ClawHub.
Skill page: https://clawhub.ai/bondli/image-collect
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install image-collect

ClawHub CLI

Package manager switcher

npx clawhub@latest install image-collect
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (extract knowledge from images and save locally) align with the included code and README. Dependencies (axios, sharp, tesseract.js) are appropriate for downloading, preprocessing, and OCR.
Instruction Scope
SKILL.md directs running node dist/index.js with a URL/Base64/local path. The runtime code implements only the declared behaviors: download/accept image, preprocess, OCR, generate summary/keywords, and append a JSON record. It reads process.env.HOME to determine storage location and writes image and JSON files — consistent with 'save locally'.
!
Install Mechanism
There is no install spec despite package.json and code importing third-party modules (axios, sharp, tesseract.js). Sharp is a native module that typically requires compilation/binaries; tesseract.js may need language data. Without an install step the provided dist/index.js will likely fail in most runtimes. This is an incoherence between delivered files and expected runtime environment.
Credentials
The skill requests no secrets or extra environment variables. It only references HOME to place files, which is proportionate to its purpose. No unrelated credentials or config paths are requested.
Persistence & Privilege
The skill writes persistent data to a directory under the user's home (~/openclaw-skill-data/). That is consistent with its purpose (saving images and a JSON DB). It does not attempt to modify other skills or global agent settings. always:false (no forced inclusion).
What to consider before installing
This skill's behavior appears coherent with its description, but take precautions before installing or running it: - Installation: The package.json lists dependencies (axios, sharp, tesseract.js) but no install steps are provided. Ask the author for an install spec or be prepared to run npm/pnpm install in a safe environment. Sharp is a native module and often requires build tools or prebuilt binaries. - Files written: The skill will create ~/openclaw-skill-data/image-knowledge-assets/ and ~/openclaw-skill-data/image-knowledge.json (or a literal '~/openclaw-skill-data' if HOME is unset). If you run it, expect persistent files in your home directory; run in a sandbox or change the code/path if you prefer. - Remote downloads: The skill will fetch any URL you pass. Do not provide untrusted or internal-network URLs (it could fetch internal endpoints if you or an agent supplies such URLs). If an agent can call it autonomously, ensure it only runs on user-supplied images. - Tesseract language data and runtime: The code calls tesseract.js; make sure required language models (e.g., chi_sim) are available or that tesseract.js is configured correctly. - Recommendation: request or supply a proper install spec (or containerized packaging), test in an isolated environment, and verify where files are written before granting it regular use.
dist/index.js:12
Environment variable access combined with network send.
!
dist/index.js:63
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk970tn1ghej9r1tbwbv68wzb1583hgdt
150downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
@bondli
latest
Download

Image Collect Skill

This skill extracts knowledge from an image and saves it locally.

When to use

Use this skill when:

  • User sends an image
  • User asks to save image as knowledge
  • Image needs OCR or content understanding

What it does

  1. Download image
  2. Extract text and meaning
  3. Generate summary
  4. Save image locally
  5. Append knowledge to JSON database

Command

Run:

node dist/index.js "<image_url>"

Example:

node dist/index.js "https://example.com/image.png" node dist/index.js "data:image/png;base64,xxxx" node dist/index.js "/tmp/image.png"

Output

Returns extracted knowledge including:

  • summary
  • keywords
  • text
  • saved image path

Comments

Loading comments...