Skillv1.0.0

ClawScan security

DingJi Long Image · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 8, 2026, 1:48 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: An instruction-only skill that describes how to assemble and render long-form course images; its declared inputs, runtime steps, and outputs are coherent with the stated purpose and it does not request credentials or unusual system access.
Guidance: This is an instruction-only skill that outlines how to build and export long-form math lesson images; it asks for no credentials and has no install step. Two practical checks before enabling: (1) confirm your platform provides the referenced helper (scripts.generate_long_image) and the lightclaw_upload_file API or the calls will fail; (2) be aware generated images are saved to /root/.openclaw/media/outbound and uploaded—if you embed sensitive content in the chapter text or brand fields, it will be persisted and uploaded. If you rely on other linked skills (course-long-image), review those implementations for any code or network behavior you must trust.

Review Dimensions

Purpose & Capability: okName/description (generate long images for math chapters) matches the SKILL.md content. No unrelated binaries, environment variables, or external credentials are requested. References to branding, chapter content, LaTeX, and output/upload behavior are appropriate for an image-generation skill.
Instruction Scope: noteThe instructions include Python-snippet examples that call a helper script (scripts.generate_long_image) and instruct uploading via lightclaw_upload_file to /root/.openclaw/media/outbound. This is consistent with the described workflow but assumes platform-provided helper scripts/APIs or other skills (e.g., course-long-image). There are no instructions to read arbitrary user files, exfiltrate secrets, or contact unknown external endpoints.
Install Mechanism: okNo install spec or downloaded code is present (instruction-only). Nothing is written to disk by the skill itself at install time, so install risk is minimal.
Credentials: okThe skill declares no required environment variables or credentials. Its runtime instructions do not request tokens/keys. The only filesystem path referenced is a platform media outbound path for storing generated images, which is proportionate to the stated output behavior.
Persistence & Privilege: okalways is false and model invocation is not disabled (normal). The skill does not request persistent presence, nor does it instruct modifying other skills' configuration or accessing other skills' credentials.