Local Image Search
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: local-image-search Version: 1.0.0 The skill bundle provides scripts for local image search and management, using standard macOS utilities like `mdfind` and `fd`. All shell scripts properly quote user-provided arguments (`"$VAR"`), mitigating shell injection risks. The `SKILL.md` file contains no prompt injection attempts or instructions for the agent to perform actions outside the stated purpose. While the scripts have broad file system access (searching and copying files), this is inherent to their stated function and there is no evidence of malicious intent such as data exfiltration, persistence mechanisms, or unauthorized remote communication.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may enumerate photos across a broad local folder if the user does not provide a narrower directory.
The list-all helper defaults to searching the user's home directory for image files. This is consistent with local image search, but it may expose many private photo paths to the agent unless scoped by the user.
DIR="${1:-$HOME}" ... mdfind -onlyin "$DIR" "kMDItemContentTypeTree == 'public.image'" ... find "$DIR" -type fSpecify an exact folder such as ~/Pictures/TripName when searching, and review results before using them in follow-up actions.
Selected images could be copied into another local folder, including a synced folder, if the destination is chosen carelessly.
The copy helper copies every existing file path received on stdin into a user-supplied destination. This is an expected utility for search results, but it can duplicate local files if used with an overly broad or unintended input list.
mkdir -p "$DEST" ... cp "$file" "$DEST/"
Only pipe reviewed search results into the copy helper and choose a destination folder intentionally.
Some documented commands may fail or could tempt a user to download replacement scripts from an untrusted source.
The documentation lists helper scripts that are not present in the provided file manifest. This appears to be a documentation/package completeness issue rather than malicious behavior, but users should avoid substituting unreviewed scripts.
`scripts/search_by_size.sh` ... `scripts/search_similar.sh` ... `scripts/thumbnail.sh`
Use only the included scripts unless additional helpers are obtained from a trusted, reviewed source.