Infographic creator socials
PassAudited by VirusTotal on May 7, 2026.
Overview
Type: OpenClaw Skill Name: infographic-creator Version: 1.0.2 The infographic-creator skill is a legitimate utility for generating social media visuals using OpenAI's image APIs. It features a well-documented design system and a Python script (scripts/generate.py) that includes robust security checks to prevent path traversal when handling local assets and output files. The workflow uses standard tools like curl for fetching favicons and cairosvg for image conversion, and the SKILL.md documentation explicitly includes security best practices for the AI agent, such as API key scoping and input validation.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill may use your OpenAI account and incur provider charges.
The renderer uses the local OpenAI client credential to call the image API. This is expected for gpt-image-2 generation, but it grants API-spend authority and is not reflected in the registry's primary credential field.
OPENAI_API_KEY=sk-... python3 generate.py ... ... client = OpenAI()
Use an OpenAI key intended for this project, monitor usage, and revoke or rotate the key if you stop using the skill.
Any prompt text, avatar, logo, or screenshot selected as a reference may be sent to OpenAI for rendering.
The code uploads the prompt and selected reference image files to OpenAI. The script restricts reference images to assets_dir, which helps, but user-provided avatars or screenshots may still contain sensitive information.
result = client.images.edit(
model=model,
image=files,
prompt=prompt,
size=api_size,
quality=quality,
)Only place images in the assets folder that you are comfortable sending to OpenAI, and redact private details from screenshots before rendering.
Brand or domain names used in the infographic may be requested from Google, and downloaded image files will be saved locally.
The workflow instructs the agent to make external Google favicon requests and write downloaded files into the assets directory. This is purpose-aligned asset enrichment, but it is external network and file-write activity.
Brand favicons via Google's favicon service ... Download with `curl -sL <url> -o assets/<name>.png`.
Avoid using confidential internal domains unless you are comfortable sending them to Google's favicon service; review downloaded assets before use.
Installing dependencies may pull newer package versions than originally tested.
The setup example installs unpinned Python packages from the package ecosystem. The instruction recommends a virtualenv and asks before system-wide install, which reduces risk, but the versions are still not fully pinned.
python3 -m venv .venv && source .venv/bin/activate pip install --quiet "openai>=1.0" "cairosvg>=2.7"
Use the virtualenv approach, avoid system-wide installs, and pin or review dependency versions in environments where reproducibility matters.
People or tools with access to the project folder may see prior prompt content, branding details, or avatar references.
The skill keeps local state and generated prompts for reuse across sessions. This supports consistent branding, but it means handle, avatar path, theme, and prompt content may persist in the project directory.
style.json # active theme (filled at runtime: accent color, handle, avatar path) ... prompts/ # one .py file per generated piece, kept for re-rendering ... reuse the existing `style.json`
Keep the infographics folder private, and delete or sanitize assets, prompts, and style.json when they contain sensitive information.