linkfoxai-image-tool
PendingVirusTotal audit pending.
Overview
No VirusTotal analysis has been recorded yet. File reputation checks will appear here once the artifact hash has been scanned.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a scripts directory is later present or supplied outside the reviewed package, the agent could run local code whose behavior the user and registry did not verify.
The skill directs the agent to execute platform-specific local shell/PowerShell scripts if found. The provided manifest contains only SKILL.md, so the referenced scripts were not available for static review.
`Step 2`: 再真实读取当前 skill 的 `scripts/` 目录... `Step 3`: ... `Win` 对应 `.ps1`,`macOS` 与 `Linux` 对应 `.sh`。 `Step 4`: 若脚本存在且执行成功,直接使用脚本标准输出作为最终结果。
Do not run any local scripts for this skill unless their contents are present, reviewed, and explicitly approved; the publisher should include the scripts in the package or remove this execution path.
The agent may persist and use an account API key for provider calls even though the credential requirement is not clearly declared before installation.
The skill uses a provider API key, reads it from a local config file, and writes it back if supplied, while the registry requirements declare no required env vars, primary credential, or config paths.
`apiKey`: 先确认 `ZNOPEN_API_KEY` 已可用;默认从 `~/.znopen/config.json` 读取,缺失时先提示用户提供,提供后回填文件,完成配置。
Use a narrowly scoped API key, confirm before storing it locally, and require the skill metadata to declare ZNOPEN_API_KEY and ~/.znopen/config.json.
Images selected for processing may be uploaded to the external provider and returned as hosted URLs.
The skill sends image data to the declared ZNOPEN/Open Platform endpoint, which is expected for an image upload and image-processing tool.
requestUrl: https://sbappstoreapi.ziniao.com/openapi-router/linkfox-ai/image/v2/uploadByBase64 ... Required Inputs: fileName、base64
Only process images you are comfortable sending to this provider, especially if they contain private or commercial content.