ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Image Compression

v1.0.0

Automatically compresses images exceeding Telegram's 10MB limit by resizing width, adjusting quality, and preserving the original file with a new name.

0· 125·0 current·0 all-time
byHoncy Ye@yeholdon
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (compress images for Telegram) aligns with the included scripts and SKILL.md, which use macOS sips and provide Telegram sending. However the package also contains a script to send to WeChat and references a WeChat sender — that extra integration is not highlighted in the top-level metadata and is a mild mismatch.
!
Instruction Scope
The runtime instructions and the scripts are limited to local image processing and invoking messaging senders, which is expected. However scripts call external commands/apis without declaring them and one script (scripts/compress_and_send.sh) invokes a hard-coded absolute path: /Users/honcy/.openclaw/skills/WeChat-Send/scripts/wechat_send_image.sh. That assumes a specific local file on the maintainer's machine; if present it will be executed. This is an incoherent and risky assumption.
Install Mechanism
This is an instruction-only skill with no install spec. Nothing is downloaded or written by an installer. The scripts rely on system-provided macOS 'sips' and optionally 'optipng' if present.
!
Credentials
The skill requests no environment variables or credentials, which is appropriate for a local compressor. However it implicitly depends on external tools/commands that are not declared: the 'openclaw' CLI (used to send Telegram messages) and the hard-coded WeChat sender script path. These undeclared external dependencies are disproportionate and could lead to unexpected execution if those binaries/scripts exist on a host.
Persistence & Privilege
The skill does not request 'always: true' and does not try to modify other skills or system configuration. It runs as invoked and does not persist or escalate privileges by itself.
What to consider before installing
Do not run these scripts without inspection. Specific recommendations: - Open and review scripts/compress_and_send.sh and scripts/compress_and_send_telegram.sh; note the hard-coded path /Users/honcy/.openclaw/skills/WeChat-Send/scripts/wechat_send_image.sh — remove or replace it with a configurable call (or verify that the target script is trustworthy). - Confirm you want the WeChat-send behavior (the README/description focuses on Telegram but the skill has WeChat integration). - Ensure the 'openclaw' CLI the scripts call is the expected trusted tool on your machine before running; if not present the Telegram send will fail safely but won't execute unexpected network calls. - Run the compression script on non-sensitive images first and prefer running scripts under a restricted/test account or sandbox. - If you plan to use this skill, edit the scripts to avoid absolute author-specific paths and make external senders configurable arguments so they can't accidentally execute arbitrary files in users' home directories.

Like a lobster shell, security has layers — review code before you run it.

latestvk9725gdgx2s55jf4jbcknfgj75832gza

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments