ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Stock Images

v1.0.0

Source free stock photos and placeholder images with direct URLs for Unsplash, Pexels, Pixabay, and Lorem Picsum.

1· 577·5 current·5 all-time
byIván@ivangdavila
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (source free stock photos and placeholders) matches the files and instructions: URL patterns for Lorem Picsum, Unsplash, Pexels, Pixabay, Placehold.co, etc. There are no unrelated environment variables, binaries, or install steps requested.
Instruction Scope
SKILL.md and the referenced files only instruct the agent to return or construct direct image URLs and optionally store a local memory.md if the user asks. They instruct loading local reference files (setup.md, unsplash-categories.md). The README claims "No user data sent," but any HTTP request to external image hosts will inevitably include network metadata (IP address, request headers and possibly Referer) — this is normal for hotlinking and not hidden in the skill, but users should be aware.
Install Mechanism
No install spec and no code files — instruction-only. This is the lowest-risk install model (nothing written to disk by an installer).
Credentials
The skill requires no environment variables, credentials, or config paths. The absence of secrets is proportionate to a URL/reference skill. Note: making image requests contacts third-party hosts and can expose network-level metadata (IP/headers).
Persistence & Privilege
always:false and standard autonomous invocation are used (normal). The only persistence suggested is an optional local memory file saved only if the user requests it; the skill does not request elevated privileges or modify other skills.
Assessment
This skill is coherent and lightweight: it only supplies ready-to-use image URL patterns and optional local preference saving. Before installing or using it, consider: (1) Network/privacy — fetching images from external hosts will reveal your IP and request headers to those hosts (normal for hotlinking). (2) Licensing — verify license/attribution for production use even though many services permit casual use. (3) Stability — direct source URLs (e.g., source.unsplash.com) may redirect or change; if you need consistency, cache the final image URL or use IDs. (4) If you need higher request volume, attribution, or guaranteed terms, prefer the official APIs (which require keys) rather than anonymous hotlinking. If these tradeoffs are acceptable, the skill is fine to install.

Like a lobster shell, security has layers — review code before you run it.

latestvk973kq49796rdwxqr7wkmfxp4581vd4q

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📸 Clawdis
OSLinux · macOS · Windows

Comments