Back to skill
Skillv3.5.0
ClawScan security
Vision · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 27, 2026, 12:23 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This skill is internally consistent: it wraps local ImageMagick commands to resize/convert/optimize/watermark images and does not request credentials, remote installs, or unexpected system access.
- Guidance
- This skill appears to do only local image processing with ImageMagick. Before installing: ensure ImageMagick is installed from a trusted package source; run the script on copies of important images (it writes output files and may overwrite if output path matches); avoid passing untrusted or specially-crafted filenames (as the script forwards filenames to shell commands); if you need stronger isolation, run it in a sandbox/container or inspect the full script yourself. The minor version string mismatch is likely harmless but you can ask the maintainer for clarification if desired.
Review Dimensions
- Purpose & Capability
- okName/description, SKILL.md, and the included scripts all describe and implement local image processing using ImageMagick. Requested tools and commands (convert/magick/identify) match the stated purpose. Minor metadata mismatch: SKILL.md/version is 3.5.0 while the script header shows Version: 3.0.0 (likely cosmetic).
- Instruction Scope
- okRuntime instructions tell the agent to run the bundled bash script with file inputs and options. The script only reads local files (input images), runs ImageMagick commands, and prints results; it does not reference external endpoints, unrelated system files, or extra environment variables.
- Install Mechanism
- okNo install spec is provided (instruction-only with a shipped script). This minimizes risk from remote downloads; the only external dependency is ImageMagick, which the script checks for and expects to be installed by the user.
- Credentials
- okNo environment variables, credentials, or config paths are requested. The skill's needs (local ImageMagick binary) are proportionate to its function.
- Persistence & Privilege
- okThe skill is not always-enabled and does not request persistent privileges or attempt to modify other skills or system-wide settings. It runs as-needed when invoked.