Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Image Compressor
v1.0.1图片压缩和格式转换工具,支持 JPEG/PNG/WebP/AVIF/GIF。使用 rv-image-optimize 进行高质量压缩、批量处理、尺寸调整和懒加载组件集成。
⭐ 0· 72·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description, SKILL.md and the two scripts consistently describe an image compression/format-conversion tool using 'rv-image-optimize' and 'sharp'. However the registry metadata declares no required binaries while the instructions and scripts assume a globally installed CLI/library (rv-image-optimize). This mismatch between declared requirements and actual instructions is an incoherence.
Instruction Scope
Instructions and scripts only operate on user-supplied files and directories (no network calls, no credential access). That fits the stated purpose. Concerns: SKILL.md references a script named scripts/convert-format.js but the included file is scripts/quick-convert.js (filename mismatch). The batch script also calls readdir with a { recursive } option which is not a standard fs.promises.readdir option — this is a likely bug, not a secret-exfiltration behavior, but it means the code may not work as described.
Install Mechanism
There is no install spec (instruction-only), which is low risk. But the skill expects external packages (rv-image-optimize and sharp) and a global CLI; those are not declared in the metadata nor automatically installed. The lack of an install step for dependencies is an operational gap and can lead to confusion or broken installs, but not inherently malicious.
Credentials
The skill requests no environment variables, credentials, or config paths. The scripts access only filesystem paths provided by the user and do not attempt to read environment secrets or external configs — proportional for this purpose.
Persistence & Privilege
The skill does not request always: true and is user-invocable. It doesn't modify other skills or system-wide settings. No elevated persistence behavior is requested.
What to consider before installing
This package appears to be an image-compression tool, but it has inconsistencies and likely bugs rather than obvious malicious code. Before installing or using it: 1) Expect to manually install 'rv-image-optimize' and 'sharp' (the SKILL.md assumes a global CLI/library but the registry metadata doesn't declare it). 2) Verify filenames — SKILL.md mentions scripts/convert-format.js but the repo provides scripts/quick-convert.js; open and test scripts in a safe sandbox. 3) Test on a small folder first (avoid running against system or sensitive directories) because the batch script will recursively operate on whatever path you provide and may have a broken readdir call. 4) If you plan to run it automatically, inspect the code yourself or run in an isolated environment; no credentials are requested, but the tool will read and write files you point it at. If these operational issues are acceptable, the package is probably usable after small fixes; if you need guaranteed correctness or provenance, seek a published package with a homepage and clear install instructions.Like a lobster shell, security has layers — review code before you run it.
avifvk97fw40c8ngmnpchx5xjj7qr2983z83ebatchvk97fw40c8ngmnpchx5xjj7qr2983z83ecompressvk97fw40c8ngmnpchx5xjj7qr2983z83eimagevk97fw40c8ngmnpchx5xjj7qr2983z83ejpegvk97fw40c8ngmnpchx5xjj7qr2983z83elatestvk97fw40c8ngmnpchx5xjj7qr2983z83eoptimizervk97fw40c8ngmnpchx5xjj7qr2983z83epngvk97fw40c8ngmnpchx5xjj7qr2983z83ewebpvk97fw40c8ngmnpchx5xjj7qr2983z83e
License
MIT-0
Free to use, modify, and redistribute. No attribution required.