Designkit Ecommerce Studio
Security checks across malware telemetry and agentic risk
Overview
This appears to be a coherent Designkit image-processing skill, but it uses an API key, runs bundled scripts, and uploads user-provided images for remote processing.
Before installing, be comfortable with giving the skill a Designkit/OpenClaw API key and uploading only the images you intentionally provide for processing. Prefer a trusted or pinned install source, and avoid sending private images unless you accept remote processing by Designkit/OpenClaw.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Any local image path you provide may be uploaded to Designkit/OpenClaw.
Local image data can leave the user's device for remote processing. This is clearly disclosed and aligned with the image-editing purpose.
When you provide a local image path, the file is uploaded to Designkit/OpenClaw for processing.
Only provide images you are comfortable sending to the remote service.
The skill can use your Designkit/OpenClaw account credentials and credits for requested image-processing jobs.
The skill requires a Designkit/OpenClaw API key for all workflows. This is expected for the service integration and is declared in the package metadata.
"DESIGNKIT_OPENCLAW_AK": { "type": "string", "description": "API key used to authenticate Designkit OpenClaw requests for all bundled workflows.", "required": true }Use a dedicated API key if possible and revoke or rotate it if you stop using the skill.
Installing the skill allows it to run its included local scripts when invoked for supported image tasks.
The agent is instructed to run bundled shell/python entrypoints. This is disclosed and central to the skill's operation.
bash __SKILL_DIR__/scripts/run_command.sh <action> --input-json '<params_json>'
Install only from a trusted source and keep the skill limited to the intended image-processing workflows.
It may be harder to verify exactly which upstream source corresponds to the installed registry package.
The registry source is not identified, and the package files declare version 1.1.2. This is a provenance/versioning gap, not evidence of malicious behavior.
Source: unknown; Version: 1.0.2
Prefer installing from a trusted registry entry or a pinned, verified repository reference.