Skillv2.2.0

ClawScan security

OpenClaw 龙虾灵魂锻造炉 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 22, 2026, 11:18 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This is a coherent persona/gacha skill: it runs a local Python script to produce randomized persona components, assembles text outputs (SOUL.md / IDENTITY.md), optionally writes a prompt to /tmp and calls an image-generation skill if present; it does not request credentials or perform network fetches itself.
Guidance: What to consider before installing: - Functionality: This skill runs a local Python script (gacha.py) to create persona text and can write SOUL.md and IDENTITY.md files; it optionally writes a /tmp prompt and calls an installed baoyu-image-gen skill to generate images. - Requirements mismatch: SKILL.md requires python3 but registry 'required binaries' lists none — ensure your environment has python3 if you want the '抽卡' mode. - File writes: The skill will write temporary prompt files to /tmp and will use Write/Read tools to create files in the current or user-specified directory; confirm you’re OK with those writes and check file paths before allowing file-creation operations. - Optional dependency: If baoyu-image-gen is present the skill will call it; review that skill's code/policy before enabling automatic image generation. If baoyu-image-gen is not installed, this skill will only output prompt text (no network calls). - Network and secrets: The skill itself does not perform network requests nor request credentials. The avatar-style docs reference an external raw GitHub image for example artwork (safe but external URL). If you enable an image-generation skill or paste prompts into online services, those services may transmit data externally. - Autonomy: The skill can be invoked autonomously by the agent (platform default). If you want to limit agents' ability to run scripts or create files without manual approval, keep that in mind. Overall recommendation: technically coherent and low-risk relative to its purpose; verify python3 presence and be mindful of file-write behavior and any downstream image-generation skill you enable.

Review Dimensions

Purpose & Capability: okThe skill's name/description (forge lobster 'souls') matches its actions: it uses a local gacha.py to produce persona components, assembles textual artifacts, offers optional avatar generation via an optional baoyu-image-gen skill, and can write SOUL.md/IDENTITY.md. One small inconsistency: the registry metadata lists no required binaries, but SKILL.md states python3 is required (gacha.py is marked as '必需').
Instruction Scope: noteSKILL.md stays within the stated purpose: it instructs running gacha.py, deriving identity/tension/rules/names, assembling prompts, and optionally calling baoyu-image-gen. It does instruct the agent to write a temporary prompt file under /tmp and to use Write/Read tools to create and show files — expected for a generator but worth noting because the skill will write files to disk and call another skill when available.
Install Mechanism: okNo install spec (instruction-only + two small local helper scripts). The included gacha.py and gacha.sh are local, small, and use only Python standard library (secrets). No remote downloads or package installs are requested.
Credentials: okThe skill requests no environment variables, no credentials, and no config paths. Its optional interaction with baoyu-image-gen (another skill) is proportional to the described avatar-generation feature. There are no unexpected credential or secret requests.
Persistence & Privilege: notealways:false and disable-model-invocation:false (default autonomy) — normal for skills. The skill will write files (SOUL.md/IDENTITY.md) to the target directory and temp prompt files under /tmp when generating avatars; confirm you are comfortable with an agent that can write files in those locations.