ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Image Prompt Memory

v1.0.0

Stores and retrieves successful image generation prompts by category, style, and keywords for quick reuse and recommendation.

0· 41·0 current·0 all-time
by@acilgit
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the instructions: storing and searching prompt entries locally is coherent with an 'Image Prompt Memory' skill. However the SKILL.md hardcodes a data file path (/root/.openclaw/workspace/data/prompt_library.json) even though the skill metadata declares no required config paths — this mismatch should be clarified.
!
Instruction Scope
The instructions direct the agent to automatically save successful prompts to a specific file and to perform searches and recommendations locally. '自动保存' (automatic saving) could result in persistent storage of user-provided prompts without an explicit opt-in per save. The doc also assumes read/write access to a root-owned workspace path, which may be unexpected.
Install Mechanism
This is an instruction-only skill with no install spec and no code files — lowest install risk. Nothing is downloaded or written during installation according to the registry.
!
Credentials
No environment variables or credentials are requested, which is appropriate. However, the runtime instructions reference and require write/read access to a specific filesystem path under /root that was not declared in 'required config paths'. That undeclared file-path requirement is a proportionality mismatch and could be surprising for users or administrators.
Persistence & Privilege
The skill is not marked always:true, so it won't be force-included, but the instructions explicitly call for automatic saving of prompts. Combined with the platform default allowing autonomous invocation, the skill could persist user data without per-action confirmation unless the agent enforces prompt/consent rules.
What to consider before installing
This skill appears to do what it says (store and recommend image prompts) but you should verify a few things before enabling it: 1) Confirm where you want prompt data stored — the SKILL.md hardcodes /root/.openclaw/workspace/data/prompt_library.json but the registry claims no config paths. If you don't want files under /root, change the path or deny write access. 2) Ask whether automatic saving is desirable: automatic writes can persist sensitive prompts; prefer an explicit save/consent flow. 3) Because the skill is instruction-only, review agent behavior around file I/O and ensure the agent runs with limited filesystem permissions if you want to contain risk. 4) If you require an audit trail, inspect the file after first use to confirm format and contents. If the author cannot explain why the path is hardcoded or provide a configurable storage location, treat the mismatch as a red flag.

Like a lobster shell, security has layers — review code before you run it.

latestvk975t59kb3kevk9dgpsp5vttph83sna1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments