ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

PhotoPlus Album Downloader

v1.0.0

Download PhotoPlus / 谱时图片直播 albums from a URL or activity ID; use to inspect metadata, filter date tabs, save JSON, or write caption/GPS metadata.

0· 51·0 current·0 all-time
by@helloene

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for helloene/photoplus-album-downloader.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "PhotoPlus Album Downloader" (helloene/photoplus-album-downloader) from ClawHub.
Skill page: https://clawhub.ai/helloene/photoplus-album-downloader
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: python3
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install photoplus-album-downloader

ClawHub CLI

Package manager switcher

npx clawhub@latest install photoplus-album-downloader
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, SKILL.md, wrapper script, and upstream notes all align: the skill downloads PhotoPlus live albums and exposes relevant flags. Required binary (python3) matches the stated purpose; no unrelated credentials or config paths are requested.
!
Instruction Scope
Runtime instructions include cloning or downloading the upstream script from GitHub and then executing it. The SKILL.md and wrapper explicitly allow installing dependencies and running the upstream script; they do not require reading unrelated system files, but they do instruct the agent/operator to fetch and run remote code. The wrapper creates a local cache directory (.codex) and writes output under ./PhotoPlus, which is expected but should be noted.
!
Install Mechanism
There is no packaged install spec (instruction-only), but the included wrapper will: (1) attempt a shallow git clone of the upstream repo or (2) download a raw script from raw.githubusercontent.com (main branch), and then execute it. Downloading and executing unpinned code from the main branch and running pip install (possibly from a requirements file) is a higher-risk pattern because the fetched code can change after skill publication. The hosts used (github.com, raw.githubusercontent.com, PyPI) are well-known, which mitigates some risk, but the lack of pinning is the main concern.
Credentials
The skill requests no environment variables or credentials. The ability to install dependencies uses pip and network access, which is proportional to the claimed functionality but represents an escalation of runtime privileges (network + package install).
Persistence & Privilege
always is false and the skill does not request to be always-present. It creates local files/directories (.codex and ./PhotoPlus) in the working directory but does not modify other skills or system-wide agent configuration.
What to consider before installing
This skill is functionally coherent but executes code fetched from the network (GitHub main/raw) and may install Python packages. Before installing or running it: (1) review the upstream repository (or bundle) and prefer a pinned commit; (2) run the wrapper in a sandbox or VM; (3) use --dry-run and --repo-dir pointing to a vetted local clone instead of letting it auto-download; (4) avoid --install-deps in sensitive environments — instead inspect requirements.txt and install dependencies from a trusted source; and (5) be aware it will write output to ./PhotoPlus and create a .codex cache directory in the working directory.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Binspython3
latestvk97epsqtksexvnfmq8xqe1ej5x85hvhw
51downloads
0stars
1versions
Updated 3d ago
v1.0.0
MIT-0
@helloene
latest
Download

PhotoPlus Album Downloader

Overview

Use the upstream Python project helloene/live-album-downloader to download original images from public PhotoPlus live albums. Always confirm the user has permission to download/store the album contents when the album is not clearly theirs.

Quick Workflow

  1. Extract the activity ID from the user input. PhotoPlus IDs are numeric and usually appear in:
https://live.photoplus.cn/live/12345678
https://live.photoplus.cn/live/pc/12345678/#/live
  1. Prefer the bundled wrapper because it accepts either a URL or ID and can clone/download the upstream project if needed:
python3 /path/to/photoplus-album-downloader/scripts/download_photoplus_album.py \
  "https://live.photoplus.cn/live/12345678" \
  --workdir /path/to/output-root \
  --install-deps
  1. If dependencies are already installed and the upstream repo is already present, call the upstream script directly:
python3 live_album_downloader.py --id 12345678
  1. Report the output folder. The upstream project writes to ./PhotoPlus/<activity_id>/ from the command working directory, or ./PhotoPlus/<folder-name>/ when --folder-name is used.

Common Commands

Inspect album metadata and tab names before downloading:

python3 scripts/download_photoplus_album.py 12345678 --inspect --install-deps

Download only a date-like tab:

python3 scripts/download_photoplus_album.py 12345678 --tab 3.29 --folder-name "event-3.29"

Save metadata sidecars and preserve useful filenames:

python3 scripts/download_photoplus_album.py 12345678 \
  --save-metadata \
  --rename-template "{date}_{time}_{name}"

Write album title caption and GPS EXIF/IPTC metadata:

python3 scripts/download_photoplus_album.py 12345678 \
  --write-caption \
  --gps-lat 31.2304 \
  --gps-lon 121.4737

Options

  • Use --count N for test runs or partial downloads.
  • Use --tab all for all photos; date tabs such as 3.28 are matched from photo timestamp metadata by the upstream project.
  • Use --folder-name NAME to avoid numeric output folders.
  • Use --dry-run on the wrapper to print the resolved upstream command without network or download work.
  • Use --repo-dir PATH when an existing clone of helloene/live-album-downloader should be reused.
  • Use --install-deps when requests, tqdm, or piexif are missing.

Troubleshooting

  • If the upstream script prints Wrong ID, re-check that the number came from /live/<id> or /live/pc/<id>, and that the album is public/available.
  • If dependency installation fails in a sandbox, request approval to run the same pip/network command with escalation.
  • If the album has many photos, first run with --inspect or --count 10.
  • If filenames collide, the upstream project auto-adds suffixes such as _2.

References

  • Read references/upstream-project.md for the exact upstream repository URL, pinned commit observed while creating this skill, and supported CLI flags.
  • Use scripts/download_photoplus_album.py as the low-friction command wrapper.

Comments

Loading comments...