by 安全扫描
OpenClaw
可疑
high confidenceThe skill appears to implement image compression as described, but it contains unsafe defaults (a hard-coded webroot path) and encourages running with sudo and in-place overwrites — behaviors that are disproportionate to a simple compressor and could cause unintended damage.
评估建议
Do not run this script as root or with sudo without checking what it will do. Inspect and (preferably) change the default path in the script — it currently points to /www/wwwroot/lovehibachi_demo/public/static/img, which could overwrite a website's images if you run it with no args. Test on a copy of images first, and back up originals; consider adding a dry-run or backup step. Avoid running the provided examples verbatim (they show sudo). If you proceed, run inside a controlled directory (not s...详细分析 ▾
ℹ 用途与能力
Name/description match the included script: a Pillow-based batch compressor for JPG/PNG. However the script defaults to a very specific path (/www/wwwroot/lovehibachi_demo/public/static/img) which is unrelated to a generic 'img-compress' purpose and suggests the package was tailored to one environment.
⚠ 指令范围
SKILL.md instructs running the script with sudo in examples; the script overwrites originals in-place and will scan any directory provided (or the hard-coded default). There are no safeguards (no dry-run, no backups, no confirmation) and PNG handling may convert some images to JPEG, losing alpha. These instructions widen scope beyond harmless compression and increase risk of destructive changes.
✓ 安装机制
No install spec; this is an instruction-only skill plus a small Python script. Dependency is only Pillow (pip). No external downloads or obscure installers are used.
✓ 凭证需求
The skill requests no credentials, environment variables, or config paths. It does not attempt network access or exfiltration. The only notable environment guidance is example use of sudo (over-privileged but not a credential request).
ℹ 持久化与权限
The skill does not request permanent presence or elevated platform privileges, but examples encourage using sudo and the default path targets a webroot that often requires elevated permissions. This combination increases the blast radius if run carelessly.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.12026/4/4
英文描述更新
● 可疑
安装命令 点击复制
官方npx clawhub@latest install img-compress
镜像加速npx clawhub@latest install img-compress --registry https://cn.clawhub-mirror.com
技能文档
Batch image compression tool based on Pillow(PIL).
Quick Usage
# Compress images over 100KB to 80KB
sudo python3 skills/img-compress/scripts/compress_img.py /path/to/images# Custom target size (KB)
sudo python3 skills/img-compress/scripts/compress_img.py /path/to/images 150
Compression Rules
- JPG/JPEG: Gradually reduce quality (85→50) + optimize until under target size
- PNG: Pillow PNG compression (limited), recommend pngquant for better results
- Files under target size are skipped
- Overwrites original files (in-place)
Dependencies
- Python3
- Pillow:
pip3 install Pillow
Typical Scenarios
# Compress website static assets
sudo python3 skills/img-compress/scripts/compress_img.py /var/www/static/img 100
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制