ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Img Compress

v1.0.1

批量压缩图片文件大小,支持JPG/PNG,保持尺寸只压体积。当用户提到:压缩图片、减少图片大小、图片太大、图片优化、批量压缩图片时使用。

0· 76·1 current·1 all-time
byFrank_Jin@ginntech
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name/description match the included script: a Pillow-based batch compressor for JPG/PNG. However the script defaults to a very specific path (/www/wwwroot/lovehibachi_demo/public/static/img) which is unrelated to a generic 'img-compress' purpose and suggests the package was tailored to one environment.
!
Instruction Scope
SKILL.md instructs running the script with sudo in examples; the script overwrites originals in-place and will scan any directory provided (or the hard-coded default). There are no safeguards (no dry-run, no backups, no confirmation) and PNG handling may convert some images to JPEG, losing alpha. These instructions widen scope beyond harmless compression and increase risk of destructive changes.
Install Mechanism
No install spec; this is an instruction-only skill plus a small Python script. Dependency is only Pillow (pip). No external downloads or obscure installers are used.
Credentials
The skill requests no credentials, environment variables, or config paths. It does not attempt network access or exfiltration. The only notable environment guidance is example use of sudo (over-privileged but not a credential request).
Persistence & Privilege
The skill does not request permanent presence or elevated platform privileges, but examples encourage using sudo and the default path targets a webroot that often requires elevated permissions. This combination increases the blast radius if run carelessly.
What to consider before installing
Do not run this script as root or with sudo without checking what it will do. Inspect and (preferably) change the default path in the script — it currently points to /www/wwwroot/lovehibachi_demo/public/static/img, which could overwrite a website's images if you run it with no args. Test on a copy of images first, and back up originals; consider adding a dry-run or backup step. Avoid running the provided examples verbatim (they show sudo). If you proceed, run inside a controlled directory (not system webroots), use a Python virtualenv and install Pillow locally, and be aware PNGs may be converted to JPEG (losing transparency). If you want, I can suggest safe edits to add confirmations, backups, or a dry-run mode.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bnh8gqmabqz6b0myykcp4d1844sc7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments