Raphael Ai Image
AdvisoryAudited by VirusTotal on Mar 24, 2026.
Overview
Type: OpenClaw Skill Name: raphael-ai-image Version: 0.2.0 The skill bundle is a legitimate automation tool for generating images using the Raphael AI website. The SKILL.md file provides clear instructions for browser automation, and the scripts/generate_image.py file serves only as a documentation holder for styles and prompts without executing any harmful code. No evidence of data exfiltration, malicious execution, or prompt injection was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Generated images may be downloaded into the local OpenClaw workspace as part of normal use.
The skill instructs the agent to automate browser output extraction, download an image with curl, and write it locally. This is purpose-aligned and disclosed, but it is still tool and file-system activity.
图片提取:从 DOM 获取 `cdn.raphaelai.org` URL 后 curl 下载 保存路径:`~/.openclaw/workspace/media/`
Use it for intended image-generation requests and review the downloaded/generated file before reusing or sharing it.
Actions occur through the OpenClaw browser profile rather than a stateless API call.
The artifact directs use of a named browser profile. It also says no API key or registration is needed, so this appears proportionate, but users should know browser profile state may be involved.
执行方式:通过 OpenClaw Browser (profile=openclaw) 自动化
If you want maximum separation, use an isolated browser profile for image-generation browsing.
Prompts and generated images may be visible to the external Raphael AI site and to participants in the current Discord channel.
The workflow involves requests between agents, submission of prompts to an external website, and delivery through a Discord channel. This is disclosed and central to the skill, but it crosses service and channel boundaries.
其他 Agent 以请求方式调用。 ... 打开 `https://raphaelai.org/zh/ai-image-generator` ... 紫灵通过 Discord 将图片发到当前频道。
Do not include secrets, private personal data, or confidential business material in prompts; confirm the Discord channel is the intended destination.
Version or publisher tracking may be less clear than expected.
The embedded metadata differs from the registry metadata supplied for the package, which lists a different owner ID and version. With no install script or dependencies this is not a malicious indicator, but it weakens provenance clarity.
"ownerId": "main", "slug": "raphael-ai-image", "version": "0.1.0"
Verify the publisher and intended version if provenance matters before installing.