by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's instructions broadly match its stated purpose (transforming photos via Claude + Gemini) but contain multiple coherence and risk issues: the registry metadata omits required API keys/paths, the README instructs a remote curl | sh installer, it stores API keys in a local SQLite DB, and it reads/writes your Apple Photos (including face-detection names) and can schedule recurring runs — all of which merit caution.
评估建议
Things to consider before installing/running this skill:
- Registry metadata is incomplete: SKILL.md requires ANTHROPIC_API_KEY and GEMINI_API_KEY and uses a local DB and launchd, but the registry entry lists none — treat the package as only partially described.
- Do not blindly run the recommended 'curl … | sh' installer. Inspect the install script (uvx.sh/imagemine/install.sh) before executing. Prefer manual installation or a checked package from a trusted source.
- The tool sends your photos...详细分析 ▾
⚠ 用途与能力
The SKILL.md clearly requires Anthropic and Google Gemini API keys and integrates deeply with macOS Photos and launchd, which is coherent with the described functionality. However, the registry metadata declares no required env vars or config paths — that omission is inconsistent and misleading. Asking for Photos access, face-detection names, and the ability to write back to albums fits the feature set but should have been declared up-front.
⚠ 指令范围
The runtime instructions direct the agent to: read macOS Photos albums (including face-detection names/people), resize images, send images to external APIs (Anthropic/Claude and Google/Gemini), write generated images back into Photos shared albums, write a local SQLite DB (~/.imagemine.db) containing run metadata and saved API keys, and optionally create a launchd plist for scheduled runs. These actions go beyond simple local image editing and carry privacy implications. They are generally coherent with the advertised features but are not limited to safe/local-only operations and are not fully declared in the registry metadata.
⚠ 安装机制
The registry lists no install spec, but SKILL.md suggests a one-liner 'uvx imagemine' and a permanent install via 'curl -LsSf uvx.sh/imagemine/install.sh | sh'. Piping a remote installer to sh is a high-risk pattern because it executes remote code without local review. The host uvx.sh is not documented in registry metadata; the install approach is therefore disproportionate and risky.
⚠ 凭证需求
The tool legitimately needs ANTHROPIC_API_KEY and GEMINI_API_KEY to call the services it claims to use. However, the skill stores keys in a local SQLite DB (~/.imagemine.db) by default (DB → env → prompt resolution order), which may store secrets in plaintext and increases exposure. The SKILL.md also accesses Photos face-detection metadata (PII) and will transmit images and derived prompts to external APIs — appropriate for the feature but privacy-sensitive and should be clearly declared in registry metadata.
ℹ 持久化与权限
The skill does not set always:true. It does, however, provide an option to install a launchd agent (writes ~/Library/LaunchAgents/imagemine.plist and instructs using launchctl) so it can run periodically and generate/upload images automatically. That behavior is coherent with the 'screensaver' feature but increases the blast radius (scheduled, autonomous uploads). Users should review generated plist contents and the scheduling choice before enabling.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/4/4
- Initial release of photo-alchemy. - Instantly transform photos into surrealist AI art using an automated Claude + Gemini pipeline. - Deep integration with Apple Photos: select photos from albums, save AI art back, manage character mappings, and schedule auto-generation for Apple TV screensavers. - 35+ built-in artistic visual styles, with interactive management and blending. - Flexible configuration, API key setup, detailed run history, and scripting features. - Core functionality supported on all platforms; Apple Photos features require macOS.
● Pending
安装命令
点击复制官方npx clawhub@latest install photo-alchemy
镜像加速npx clawhub@latest install photo-alchemy --registry https://cn.longxiaskill.com