AI Image Check
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill matches its stated purpose, but it will store a Scam.ai API key locally and upload the selected image to Scam.ai for analysis.
This appears safe for its stated purpose if you are comfortable using Scam.ai. Before installing, use a service-specific API key when possible, avoid submitting sensitive images unless you trust Scam.ai's handling of them, and remember that the key will be stored in your home directory until you delete or rotate it.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent will handle and persist a service credential that may authorize Scam.ai API usage and could affect account billing or access if misused.
The skill reads and stores Scam.ai API credentials, including an optional Universal key that works across Scam.ai services. This is disclosed and purpose-aligned, but credential handling is sensitive.
cat ~/.scamai_genai_key ... cat ~/.scamai_universal_key ... Once the user provides the key, save it to the matching file
Prefer a service-specific Gen AI Detection key, use a Universal key only if you intentionally want broader Scam.ai access, and delete or revoke the key if you no longer trust the skill.
Any image you choose to analyze will be sent to Scam.ai, which may matter if the image contains private, personal, or confidential content.
The selected image is uploaded to Scam.ai for analysis. This is the stated purpose, but the artifact does not describe provider retention or privacy handling for submitted images.
curl -s -X POST "https://api.scam.ai/api/defence/ai-image-detection/detect-file" ... -F "file=@PATH_TO_FILE"
Only submit images you are comfortable sending to Scam.ai, and review Scam.ai's privacy or data-retention terms for sensitive material.
The agent may run local shell commands to read the key file and upload the selected image.
The skill uses shell commands and substitutes a user-provided image path into a curl upload. This is central to the skill's function, but file paths should be handled safely.
Use the Bash tool ... curl ... -F "file=@PATH_TO_FILE"
Use normal image filenames and avoid paths with unusual shell characters; the skill should only run this command for an image path you explicitly provide.