Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
image-optimization
v1.2.1When the user wants to optimize images for search engines and performance. Also use when the user mentions "image SEO," "alt text," "image captions," "figcap...
⭐ 0· 64·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (image optimization / image SEO) matches the instructions, which are a lengthy, plausible checklist for image SEO, formats, srcset, alt text, LCP, sitemaps, etc. The skill requires no binaries, env vars, or installs, which is proportionate for a purely advisory skill. However, the SKILL.md explicitly tells the agent to look for and read .claude/project-context.md or .cursor/project-context.md in the project workspace for brand/page context—those config paths are not declared in the skill metadata, creating a minor incoherence between what it says it needs and what it will access.
Instruction Scope
SKILL.md instructs the agent to 'check for project context first' and to read .claude/project-context.md or .cursor/project-context.md if present. Those are explicit file reads of workspace files that are outside the declared requirements. While reading project context for SEO advice can be reasonable, the instructions give the agent permission to access arbitrary project files without declaring them. This raises a scope concern because it could expose sensitive project content. The rest of the instructions (examining HTML image tags, advising on srcset, sitemaps, alt text, LCP) are in-scope for the stated purpose.
Install Mechanism
No install spec and no code files — this is an instruction-only skill. That minimizes risk from arbitrary code installs. There are no downloads, package installs, or binaries to evaluate.
Credentials
The skill declares no required environment variables, credentials, or config paths. That is appropriate for an advisory/analysis skill. Note, however, that the SKILL.md nonetheless asks to read specific project files (see instruction scope). There are no requests for external credentials or unrelated service tokens.
Persistence & Privilege
The skill is not 'always' enabled and is user-invocable; it does not request persistent presence or elevated platform privileges. It is instruction-only and does not modify other skills or system-wide settings.
What to consider before installing
This skill appears to be a legitimate, instruction-only image SEO guide, but it instructs the agent to read local project files (.claude/project-context.md or .cursor/project-context.md) even though no file-access paths are declared. Before installing or allowing autonomous use, consider: 1) Do you want the skill to read arbitrary workspace files? If not, decline or restrict it. 2) Ask the author to explicitly declare any project file paths the skill will read and make file-reading opt-in. 3) If you test it, run it in a safe/isolated repository that contains no secrets or sensitive content. 4) Verify the skill does not attempt to exfiltrate data (there are no network/credential directives in the SKILL.md, which reduces risk). If those checks are acceptable, the skill's behavior is reasonable for image-SEO assistance; otherwise treat it cautiously.Like a lobster shell, security has layers — review code before you run it.
latestvk976v222t91xj6ss68tmfmrrt1848qgp
License
MIT-0
Free to use, modify, and redistribute. No attribution required.