← 返回 Skills 市场

Fast Image

Name: Fast Image
Author: deadlining

作者 DeadLining · GitHub ↗ · v1.0.2 · MIT-0

cross-platform ⚠ suspicious

437

总下载

当前安装

版本数

在 OpenClaw 中安装

/install fast-image

功能描述

Quickly send local images to channel. Auto-compress large images, copy small images directly.

使用说明 (SKILL.md)

fast-image

Quickly send local images to specified channel. Auto-handles image copy/compress and send.

Usage

node {baseDir}/send_image.mjs "\x3Cimage_path>" \x3Cchannel> \x3Ctarget> [message]

Parameters

Parameter	Description	Required
`image_path`	Full path to image	Yes
`channel`	Target channel name	Yes
`target`	Target user/group	Yes
`message`	Optional message	No

Features

Image processing
- File \x3C 10MB: Copy directly to ~/.openclaw/media/browser/
- File >= 10MB: Compress with sharp then copy
Send: Use openclaw message send --media to send
Cleanup: Auto-delete temp file after sending

Examples

node {baseDir}/send_image.mjs "~/Pictures/photo.png" telegram @chatname
node {baseDir}/send_image.mjs "~/Downloads/large.jpg" telegram @chatname "landscape"

Dependencies

Node.js
sharp: npm install sharp
openclaw CLI

安全使用建议

This skill appears to do what it says: compress or copy a local image then call your openclaw CLI to send it. Before installing/using: 1) Ensure you have the openclaw CLI and the sharp Node package installed. 2) Be aware of two implementation issues you may want to fix: the script uses the literal path "~/.openclaw/..." instead of expanding ~ to the home directory (so it may create a directory named "~" instead of using your home), and it spawns the openclaw command with shell: true and unescaped arguments — if you or another agent can pass untrusted file paths, that could permit shell injection. 3) Confirm you're comfortable with the script deleting the temporary file after sending (it skips deletion for channel 'qqbot'). If you want to harden it, update TMP_DIR to use os.homedir(), and invoke the CLI with spawn/execFile without shell or ensure arguments are safely escaped.

功能分析

Type: OpenClaw Skill Name: fast-image Version: 1.0.2 The skill `fast-image` is classified as suspicious due to a shell injection vulnerability in `send_image.mjs`, where `child_process.spawn` is invoked with `shell: true` using unsanitized user-provided arguments. This allows for arbitrary command execution if parameters such as `target` or `message` contain shell metacharacters. Additionally, the script lacks path validation for the `image_path` parameter, which could be exploited to read and exfiltrate sensitive local files.

能力评估

✓ Purpose & Capability

Name/description, SKILL.md, and the bundled send_image.mjs are consistent: the script copies or compresses a local image and invokes the openclaw CLI to send it. Declared dependencies (Node, sharp, openclaw CLI) match the implemented behavior.

ℹ Instruction Scope

The runtime instructions operate only on the provided image path, a temporary media directory, and the openclaw CLI. Two implementation notes: the TMP_DIR is set to the literal string "~/.openclaw/media/browser/" (the script does not expand '~' to the user's home directory), which is likely a bug/behavior mismatch; and spawn(...) is invoked with shell: true and unescaped arguments, which could allow shell injection if an untrusted actor supplies a crafted image path. The script otherwise does not read unrelated files or env vars.

✓ Install Mechanism

This is instruction-only with one bundled JS file and no install spec; nothing is downloaded or written by an installer. The script requires the sharp package and the external openclaw CLI but does not automatically fetch them.

✓ Credentials

No environment variables, credentials, or config paths are requested. The resources accessed (local image and a local/openclaw media directory) are proportional to the stated task.

✓ Persistence & Privilege

The skill does not request persistent/always-on privileges, does not modify other skills, and does not alter system-wide configuration. It only runs the included script when invoked.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install fast-image
安装完成后，直接呼叫该 Skill 的名称或使用 /fast-image 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.2

No changes detected in this version. - No file or documentation updates were made for version 1.0.2. - 飞书不支持/var/tmp

v1.0.1

- Maintenance release with no user-facing changes. - Internal file modifications only; documentation and features remain unchanged.

v1.0.0

fast-image 1.0.0 - Initial release. - Send local images to specified channel & user/group. - Automatically compress images ≥10MB; copy smaller images directly. - Supports optional message along with image. - Automatic cleanup of temporary files after sending. - Requires Node.js, sharp, and openclaw CLI.

元数据

Slug fast-image

版本 1.0.2

许可证 MIT-0

累计安装 1

当前安装数 1

历史版本数 3

常见问题

Fast Image 是什么？

Quickly send local images to channel. Auto-compress large images, copy small images directly. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 437 次。

如何安装 Fast Image？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install fast-image」即可一键安装，无需额外配置。

Fast Image 是免费的吗？

是的，Fast Image 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

Fast Image 支持哪些平台？

Fast Image 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Fast Image？

由 DeadLining（@deadlining）开发并维护，当前版本 v1.0.2。