Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Pinterest Search
v0.1.3Search Pinterest for images and pins using keyword queries. Use this skill whenever the user wants to find Pinterest content, images, pins, or visual inspira...
⭐ 0· 38·0 current·0 all-time
byWei Han@mikehankk
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (Pinterest image/pin search) match the code and declared options. The code only requests optional Pinterest cookie, proxy, and an image cache directory which are relevant to searching and downloading images. Files written are confined to results/ and resultscache/ and an images cache directory (or XDG/LOCALAPPDATA), which is consistent with the stated purpose.
Instruction Scope
SKILL.md instructs the agent/user to run bundled TypeScript scripts (via Bun), to optionally provide a Pinterest cookie and proxy, and to save results and caches locally. The runtime instructions do not attempt to read unrelated system files or other credentials. Note: the README suggests running a remote install script (curl | bash) to install Bun — that instruction is outside the skill's core purpose and is a general operational risk (see install_mechanism).
Install Mechanism
There is no registry install spec, but SKILL.md tells users to install Bun with curl -fsSL https://bun.sh/install | bash. Executing remote install scripts piped to a shell is a security risk even if the URL is an official project. Additionally the dependency 'sharp' (in the bundled image-cache) is a native module that can pull build tooling and native binaries. These are reasonable for image-processing but increase installation surface and require caution.
Credentials
The skill requests only optional environment variables relevant to operation: PINTEREST_COOKIE (for authenticated searches), T2P_PROXY (for proxying requests), and T2P_IMAGE_DIR (for image cache location). No unrelated secrets or cloud credentials are requested. The code does read common OS env vars (LOCALAPPDATA, XDG_CACHE_HOME) to pick cache locations, which is appropriate for filesystem placement.
Persistence & Privilege
The skill does not request permanent platform privileges (always is false) and does not modify other skills or global agent settings. It persists its own results and cache files under results/, resultscache/, and an images cache directory only.
Assessment
This skill appears to do what it says: search Pinterest, cache results, and optionally download images. Before installing or running it: 1) Don't blindly run curl | bash commands — if you need Bun, install it from an official package manager or review the install script first. 2) The tool optionally accepts a Pinterest cookie — only provide this if you trust the code and understand that it grants access to your authenticated Pinterest session. 3) The image-download path uses the native 'sharp' library which may install native binaries; expect build steps and extra privileges for native modules. 4) The skill writes search results and image caches to disk (results/, resultscache/, and a cache directory under XDG/LOCALAPPDATA); check disk usage and remove caches if needed. 5) If you are unsure, run the scripts in a sandboxed environment or inspect the files locally before supplying any credentials or running the install script.scripts/pinterest_search.ts:9
Environment variable access combined with network send.
scripts/vendors/image-cache/src/index.ts:26
Environment variable access combined with network send.
scripts/pinterest_search.ts:127
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk9761z9v0nszqeprzzjkredzv184a2m2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.