Is joeru/claw2immich safe?
https://github.com/openclaw/skills/tree/main/skills/joeru/claw2immich
The claw2immich skill is a legitimate Immich photo library integration with no prompt injection, malicious code, or confirmed data exfiltration. Its primary risk profile is inherent to its purpose: the skill exposes 249 Immich API tools including facial recognition search, GPS metadata access, and unauthenticated shared link generation, creating significant photo privacy exposure if the agent is manipulated or misconfigured. Minor code quality issues (unsanitized shell script inputs, hardcoded internal hostname, developer lock file committed to package) indicate publishing hygiene gaps but no malicious intent.
Category Scores
Findings (8)
MEDIUM Unauthenticated shared link creation exposes private photos -18 ▶
The downloadAsset tool and immich_createsharedlink create 30-minute tokenized URLs that require no authentication. An agent following this skill could silently send these links to external parties via a messaging tool. Users may not realize their private photos are accessible without credentials via the generated URL.
MEDIUM Facial recognition + GPS metadata enables systematic photo privacy breach -11 ▶
The skill's searchperson and searchassets tools expose the Immich facial recognition index and GPS EXIF data. An adversary could craft a prompt that enumerates all photos of a specific person across all locations and dates without the user explicitly requesting such a complete profile.
MEDIUM 249-tool attack surface enables unintended operations via prompt injection in photo metadata -15 ▶
With 249 Immich API tools available and full_scope profile including admin endpoints, a malicious string embedded in a photo filename, caption, or album name could trigger additional API calls beyond what the user intended. The agent has no built-in confirmation step before destructive operations.
LOW Unsanitized user input in shell script MCP argument construction -8 ▶
The example bash scripts inject PERSON, CITY, and date variables directly into JSON-formatted MCP arguments without escaping. If an attacker can influence these values (e.g., via a Telegram message or file naming), they could inject additional JSON fields or break argument quoting.
LOW File download using server-supplied original filename (path traversal risk) -10 ▶
get-photo-urls.sh downloads photos using 'curl -o "$FIRST_NAME"' where FIRST_NAME comes from the Immich server's originalFileName field. A malicious Immich server or compromised account could supply filenames like '../../.bashrc' to overwrite files outside the intended directory.
LOW Canary files accessed during execution window (attributed to OpenClaw infrastructure) -7 ▶
The audit log shows .env accessed at timestamps 1771918544 and 1771918551 — during the skill installation window but before skill files were copied to the test directory (1771918555). This access pattern is consistent with the OpenClaw gateway reading its own .env configuration on startup, not with skill-originated access. All canary files remain intact per the integrity check.
LOW Developer's personal lock file and internal server hostname committed to published skill -5 ▶
.clawhub/lock.json references an unrelated skill ('academic-research-hub') installed 11 days before publication, revealing the developer's workspace state. get-photo-urls.sh hardcodes 'http://joesnuc:2283' as the default Immich server, leaking a personal network hostname. Neither is malicious but indicates poor publishing hygiene.
INFO Standard sparse-checkout install from openclaw/skills monorepo 0 ▶
Installation uses git clone with --depth 1 and sparse-checkout targeting only skills/joeru/claw2immich — a clean, minimal fetch pattern. Network connections are exclusively to github.com (140.82.114.4) and Ubuntu package infrastructure. No unexpected outbound connections detected.