smart-image-loader
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A maliciously crafted image path or URL could potentially cause the agent to run an unintended shell command or delete more than the intended temporary file, depending on how the exec tool executes the command.
The workflow tells the agent to run shell-style commands using image URLs/paths and then remove a returned path. Because those values can be influenced by the user or URL filename, the artifacts should require safe quoting or argv-based execution; otherwise shell metacharacters in a path or URL could be interpreted as commands.
Run: `python3 scripts/smart_image_loader.py https://example.com/photo.jpg` ... Use `exec` with `rm <file_path>` for cleanup
Avoid composing shell strings with user-controlled paths. Use argv-safe command execution, quote/escape all paths, validate filenames, and prefer Python-based cleanup such as `os.remove()` on the exact temporary file.
A very large or non-image response could consume disk or memory or fail later when displayed.
The helper downloads arbitrary user-supplied HTTP/HTTPS URLs to a temporary file. This is aligned with the skill’s purpose, but the code does not show size limits or content-type validation.
urllib.request.urlretrieve(url, filepath) ... out_file.write(response.read())
Only use trusted image URLs, and consider adding maximum download size, timeout, and content-type checks.
The skill may not work in environments without Python 3 even though the metadata does not warn about that requirement.
The registry metadata declares no required binaries or install step, while the skill documentation instructs running `python3 scripts/smart_image_loader.py`. This appears to be an under-declared runtime dependency rather than hidden behavior.
Required binaries (all must exist): none ... Install specifications: No install spec — this is an instruction-only skill.
Declare Python 3 as a required binary or document the runtime requirement clearly in the metadata.