ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Save Image

v1.0.0

Download images, GIFs, and media from any URL using proper headers, Referer spoofing, and scraping to handle CDNs and social media sources correctly.

0· 79·0 current·0 all-time
by@bstokes0971

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for bstokes0971/save-image.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Save Image" (bstokes0971/save-image) from ClawHub.
Skill page: https://clawhub.ai/bstokes0971/save-image
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install save-image

ClawHub CLI

Package manager switcher

npx clawhub@latest install save-image
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name and description match the included instructions and script: the skill is focused on fetching images with browser headers, referer spoofing, and a two-step scrape. However, SKILL.md instructs use of external tools (gifgrep, yt-dlp, jq) and provider-specific API keys (GIPHY_API_KEY) that are not declared in the skill metadata. A legitimate image-download helper should declare required binaries and any credentials it may need.
Instruction Scope
Runtime instructions and the script stay within the stated scope: performing HTTP fetches, scraping pages for CDN URLs, and validating file types. The instructions do not ask to read unrelated local files or to exfiltrate data to unexpected endpoints. They do instruct the agent to run external tools (yt-dlp, gifgrep) which have broader scraping/downloading capabilities; those tools can change the effective scope when present.
Install Mechanism
There is no install spec (instruction-only), which is low-risk from an automatic-install perspective. But because SKILL.md depends on third-party binaries (gifgrep, yt-dlp, jq, grep, curl, file), the skill should have declared them or provided guidance to install them — absence of that is a transparency/operational gap.
!
Credentials
The skill metadata declares no required environment variables, but references in references/tools.md note that GIPHY_API_KEY is required for some gifgrep providers. That mismatch is concerning: the skill may later ask for or expect API keys or tokens that were not disclosed up front. No other credentials are requested, which is appropriate for this functionality, but the GIPHY_API_KEY mention should have been declared.
Persistence & Privilege
The skill does not request permanent presence (always:false) and does not modify other skills or system settings. Autonomous invocation is allowed (platform default) but is not combined here with broad credentials or always:true, so privilege footprint is limited.
What to consider before installing
This skill appears to do what it says (download images with proper headers and simple scraping), but there are some gaps you should consider before installing: - Missing dependency declarations: SKILL.md expects external tools (gifgrep, yt-dlp, jq, grep, curl, file). Confirm those binaries are present on the host or ask the author to declare them and provide an install script. gifgrep and yt-dlp in particular can perform broad downloads and may have their own credential requirements. - Undeclared API key: references/tools.md mentions GIPHY_API_KEY for Giphy usage but the skill metadata doesn't list any required env vars. If you plan to use Giphy via gifgrep, obtain and provide that API key only when necessary and verify how the skill stores/uses it. - No hidden network endpoints were found in the included files, and the provided shell script only performs HTTP GETs and local file checks. Still, be mindful that scraping can retrieve login-gated or copyrighted content — avoid using private credentials or downloading material you do not have rights to. - Operational limits: the instructions note Cloudflare and login-gated content won't work; browser automation or authenticated sessions are required for those cases. Recommendations: ask the skill author to (1) list required binaries and env vars in the metadata, (2) provide installation instructions or package references for gifgrep/yt-dlp if the skill relies on them, and (3) confirm how any API keys are used and whether they are stored. Test the script on innocuous public images first.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ch3b04xzxhcaext45t0rgb984nx41
79downloads
0stars
1versions
Updated 2w ago
v1.0.0
MIT-0
@bstokes0971
latest
Download

save-image

Never guess at direct image URLs. Never use bare curl with no headers. Always pick the right tool.

Decision Tree

What are you downloading?
├── GIF or meme search (no specific URL) → gifgrep
├── Video or social media (YouTube, TikTok, Twitter/X, Instagram, Reddit) → yt-dlp
├── Image URL from a CDN-protected site (Imgur, KnowYourMeme, Reddit, etc.) → two-step scrape
└── Plain image URL (direct .jpg/.png/.gif link, no CDN) → curl with headers

See references/tools.md for tool-specific flags and examples.

Rule 1: Always send browser headers

Never do bare curl <url>. CDNs check Referer and User-Agent and block bot-looking requests.

Minimum headers for any curl image fetch:

curl -s "<url>" \
  -H "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36" \
  -H "Referer: <origin-of-the-page-hosting-the-image>" \
  -H "Accept: image/webp,image/apng,image/*,*/*;q=0.8" \
  -o <output-file>

Use scripts/fetch-image.sh for a ready-made wrapper.

Rule 2: Two-step scrape for CDN images

If you don't have a direct image URL (or a guessed URL fails), scrape the page first:

# Step 1: Scrape the page for real CDN image URLs
curl -s "<page-url>" \
  -H "User-Agent: Mozilla/5.0 ..." \
  | grep -oE 'https://[a-z0-9._-]+\.(com|net|org)/[^"]+\.(jpg|jpeg|png|gif|webp)' \
  | head -10

# Step 2: Download the URL you want with Referer set to the page
curl -s "<image-url>" \
  -H "Referer: <page-url>" \
  -H "User-Agent: Mozilla/5.0 ..." \
  -o <output-file>

Rule 3: Verify the download

Always confirm you got an actual image, not an HTML error page:

file <output-file>
# Should say: JPEG image data / PNG image data / GIF image data
# NOT: HTML document / ASCII text

Quick Examples

GIF search (no URL):

gifgrep "distracted boyfriend" --download --max 1

KnowYourMeme / CDN-protected image:

# Scrape page → get URL → fetch with Referer
curl -s "https://knowyourmeme.com/memes/doge" -H "User-Agent: Mozilla/5.0..." \
  | grep -oE 'https://i\.kym-cdn\.com/[^"]+\.(jpg|png|gif)' | head -3
# Then fetch the URL with Referer: https://knowyourmeme.com/

Direct image URL:

bash scripts/fetch-image.sh "https://example.com/image.jpg" ~/Downloads/image.jpg "https://example.com"

Video/social media:

yt-dlp "<url>" -o ~/Downloads/%(title)s.%(ext)s

Comments

Loading comments...