Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Photo Pack Generator
v0.1.0Generate a pack of professional or aesthetic photos from a single reference image while preserving the exact identity of the person.
⭐ 0· 236·0 current·0 all-time
byAnil Chandra Naidu Matcha@anil-matcha
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md and the bundled shell script align with the stated purpose (producing multiple stylized images that preserve a reference face). However the script expects platform-local helper scripts (../../../../core/media/upload.sh and generate-image.sh) which are not declared in the skill metadata; those helper scripts will control where the reference image and generated images are sent/stored and should be audited before use.
Instruction Scope
The runtime instructions forbid describing age/ethnicity/hair/beard, and insist identity must be preserved, yet the bundled prompts/templates in scripts explicitly set hairstyle, clothing, environment, and even cosmetic/implant details in ways that could contradict the stated guardrails. There are contradictions between 'do not describe hair/beard' and prompt lines that set hairstyles; between 'maintain similar head orientation' and prompts that request 'looking directly at the camera' or large scene changes. This mismatch gives the agent broad and inconsistent discretion over how the subject will be represented.
Install Mechanism
No install spec (instruction-only) reduces surface risk because nothing is downloaded automatically. The included bash script is the only code; it calls external local helper scripts (upload.sh, generate-image.sh) and writes to a media_outputs path. Those helper scripts may perform network I/O or external service calls — audit them to understand actual network endpoints and behavior.
Credentials
The skill declares no required environment variables or credentials (proportionate). That said, the script uploads images via a helper upload.sh and invokes generate-image.sh: those helpers could require or use credentials or send images to third-party services. The skill itself does not declare or request those secrets, so you must inspect the helper scripts or runtime environment to confirm where data goes and what credentials are used.
Persistence & Privilege
The skill does not request persistent/always-on privileges and is not force-included. It does not modify other skills' configs in the provided files.
What to consider before installing
Before installing or running this skill: 1) Inspect the referenced helper scripts (../../../../core/media/upload.sh and generate-image.sh) to confirm where images are uploaded, which external endpoints are contacted, and what credentials (if any) they use. 2) Review the bundled prompts: there are contradictions between the SKILL.md guardrails (don’t describe hair/age/etc., preserve identity) and concrete prompt templates that add hairstyles/props/implants — decide whether those templates meet your privacy/consent requirements. 3) Confirm you have permission from any person whose face will be used; this tool can produce realistic, contextualized images of a real person which may have legal or ethical implications. 4) If you plan to run this in a restricted environment, run the script in a sandbox and monitor network calls and file writes. If you cannot inspect the helper scripts or verify where uploads go, treat the skill as untrusted.Like a lobster shell, security has layers — review code before you run it.
latestvk9793nv7fdryydy5gpv23dq23x82t7jr
License
MIT-0
Free to use, modify, and redistribute. No attribution required.