by 安全扫描
OpenClaw
安全
medium confidenceThe skill's requirements and runtime instructions are mostly coherent for uploading images to a third‑party image host and embedding them in GitHub, but there are a few small gaps and privacy considerations to be aware of before installing.
评估建议
This skill is internally consistent for its stated purpose, but check a few things before enabling it: 1) Images are uploaded to a third‑party host (img402.dev) and become publicly accessible via the returned URL — avoid uploading sensitive screenshots. 2) The SKILL.md uses macOS commands (screencapture, sips); on Linux/Windows you’ll need alternate screenshot/resize tools. 3) gh commands rely on your local gh authentication/config — ensure gh is configured and you’re comfortable letting the age...详细分析 ▾
ℹ 用途与能力
The skill's name/description match what the SKILL.md instructs (use curl to POST to img402.dev and use gh to add the returned URL to PRs/issues). Required binaries list curl and gh which is appropriate. Minor mismatch: SKILL.md also uses macOS-specific utilities (screencapture, sips) but those are not listed in the required binaries or described as platform-specific.
ℹ 指令范围
Instructions explicitly upload local image files to https://img402.dev/api/free and then post the returned public URL to GitHub via the gh CLI — this is exactly the stated purpose. The instructions do cause user images to be transmitted to an external third‑party host (necessary for the feature). They also assume gh is authenticated (gh uses local credentials/config) and use macOS-only screenshot/resize commands without cross-platform alternatives; the skill does not instruct reading unrelated files or secrets.
✓ 安装机制
There is no install spec and no code files; this is instruction‑only and therefore doesn't write code to disk or fetch external archives. That is the lowest‑risk install pattern and consistent with the skill's simplicity.
ℹ 凭证需求
The skill requests no environment variables and no credentials from the registry metadata, which matches the claim of "no auth" for img402.dev. However, use of the gh CLI implies reliance on the agent user's existing GitHub credentials/config (gh stores auth elsewhere); that implicit dependency is reasonable but not documented in requires.env. Also, images will be uploaded to an external service — no secret tokens are needed, but sensitive images will be externally transmitted.
✓ 持久化与权限
always is false and the skill does not request elevated or persistent system presence. It does not modify other skills or system configs. Autonomous invocation is allowed (platform default) but not combined with other concerning privileges.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/2/11
- Initial release: upload images to img402.dev for easy embedding in GitHub PRs, issues, and comments. - Supports free uploads under 1MB, with images persisting for 7 days and no authentication required. - Includes shell workflow for capturing, resizing, uploading images, and embedding returned URLs in markdown. - Integration examples provided for adding images to GitHub via `gh` CLI. - Documents constraints: supported formats, upload limits, and retention policy. - Notes on paid tier for permanent, larger images.
● 无害
安装命令
点击复制官方npx clawhub@latest install github-image-hosting
镜像加速npx clawhub@latest install github-image-hosting --registry https://cn.longxiaskill.com