pollinations-sketch-note
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
API usage may be associated with the user's Pollinations or Tavily accounts and could be logged or billed by those services.
The script reads provider API keys from environment variables and sends the Pollinations key to the image-generation API. This is disclosed and purpose-aligned, but it grants access to user-owned provider accounts.
POLLINATIONS_API_KEY = os.environ.get("POLLINATIONS_API_KEY")
TAVILY_API_KEY = os.environ.get("TAVILY_API_KEY") ... "key": POLLINATIONS_API_KEYUse dedicated, limited-scope API keys where possible and provide them only if you are comfortable with this skill using those services.
Generated files may be written somewhere unexpected or fail to save correctly unless the user sets an appropriate output path.
The script calls an external image API and writes the returned image to disk. This is expected for an image-generation skill, but the default output path is a hardcoded absolute path tied to a specific local username.
DEFAULT_OUTPUT_DIR = Path("/Users/pengshengkai/.openclaw/media") ... response = requests.get(url, params=params, timeout=60) ... f.write(response.content)Specify an explicit output path when using the skill and avoid sending sensitive or private topics to external generation services.
The skill may not run until the user manually installs dependencies and configures environment variables, and the registry summary may make setup look simpler than it is.
The registry metadata under-declares requirements that the skill documentation does disclose, so automated preflight checks may not surface the needed Python runtime, packages, or API keys.
metadata: Required env vars: none; Required binaries: none. SKILL.md: Python 3.10+; requests; pillow>=10.0.0; Environment variables: POLLINATIONS_API_KEY, TAVILY_API_KEY
Review README.md or SKILL.md before use, install the listed dependencies deliberately, and confirm the required API keys are expected.