Invoke ARTCLAW platform's AI content creation capabilities via REST API. Supports AI image generation, video generation, workflow execution, multimodal analysis, and more.
PassAudited by VirusTotal on May 6, 2026.
Overview
Type: OpenClaw Skill Name: artclaw-creative-suite Version: 1.0.0 The bundle is classified as suspicious primarily due to a self-update mechanism in `scripts/artclaw.py` that downloads a ZIP archive from a remote GitHub repository and overwrites local files, which facilitates remote code execution and persistence. Additionally, `scripts/feishu_send_video.py` is designed to read sensitive credentials directly from `~/.openclaw/openclaw.json`. While these features align with the stated purpose of a managed creative suite, the ability to modify its own code and access external platform configurations presents a significant security risk.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone installing it must grant access to an ARTCLAW account, which may allow paid job submission or account/job queries depending on the API key’s privileges.
The skill requires an ARTCLAW API key and uses it as an account-level credential for authenticated generation, analysis, workflow, and job-management requests.
"auth": { "type": "apiKey", "headerName": "X-API-KEY", "prefix": "vk_", "required": true }Use a dedicated ARTCLAW API key with the minimum privileges available, monitor credit usage, and revoke the key if the skill is no longer needed.
If Feishu delivery is used, the skill can send generated media through the configured Feishu app/account to the recipient supplied to the helper.
The Feishu delivery helper reads local OpenClaw Feishu configuration to obtain app credentials for sending media messages.
config_path = os.path.expanduser("~/.openclaw/openclaw.json")Only enable or invoke Feishu/Telegram delivery when you intend to send the result, and verify the destination recipient or chat before delivery.
If a private local file path is provided as a reference, that file’s contents may be sent to the ARTCLAW service as part of the generation request.
The documented CLI can read local files supplied as reference inputs and encode them for use in generation requests.
`--reference-files` | Local reference files, auto-converted to base64 | One or more paths
Pass only files you intentionally want to use as references, and avoid providing paths to unrelated private documents.
Generation jobs may continue running after the main agent response, and results may be delivered later.
The OpenClaw adapter intentionally uses spawned/background execution for long-running generation or workflow jobs.
Pass `sessions_spawn_args` to `sessions_spawn`. Immediately tell the user the job has been submitted. Do not wait silently in the main agent.
Monitor spawned/background tasks and use the platform’s cancellation or job-status features if a job was started by mistake.
API configuration, job metadata, prompts, or result URLs may remain on disk and be reused by later runs.
The skill persists configuration and job data locally, and adapters may later read last_job.json to report results.
All local ARTCLAW data is stored under `~/.artclaw/`, including `config.json`, `last_job.json`, and `history/`.
Avoid using sensitive prompts or reference content unless necessary, and clear ~/.artclaw if you do not want local job history retained.
If an update path uses that tarball, future code could differ from the reviewed package contents.
The manifest points updates at the moving main branch rather than a pinned release artifact.
"update": { "method": "tarball", "url": "https://github.com/ArtClaw1/artclaw-skill/archive/refs/heads/main.tar.gz" }Prefer pinned releases or review the GitHub source before updating the skill.