pollinations-sketch-note
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: pollinations-sketch-note Version: 0.0.1 The skill bundle contains a hardcoded absolute path for a specific user directory (/Users/pengshengkai/.openclaw/media) in scripts/generate.py, which will cause permission errors or execution failures on most systems. Furthermore, the script mandates the configuration of a TAVILY_API_KEY environment variable but never actually utilizes it in the code, instead using the Jina Reader API for web searches. While no direct evidence of intentional malice was found, the requirement for unused sensitive API keys and the presence of user-specific hardcoded paths are significant indicators of poor quality or incomplete development that pose a risk to the user's environment.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
API usage may be associated with the user's Pollinations or Tavily accounts and could be logged or billed by those services.
The script reads provider API keys from environment variables and sends the Pollinations key to the image-generation API. This is disclosed and purpose-aligned, but it grants access to user-owned provider accounts.
POLLINATIONS_API_KEY = os.environ.get("POLLINATIONS_API_KEY")
TAVILY_API_KEY = os.environ.get("TAVILY_API_KEY") ... "key": POLLINATIONS_API_KEYUse dedicated, limited-scope API keys where possible and provide them only if you are comfortable with this skill using those services.
Generated files may be written somewhere unexpected or fail to save correctly unless the user sets an appropriate output path.
The script calls an external image API and writes the returned image to disk. This is expected for an image-generation skill, but the default output path is a hardcoded absolute path tied to a specific local username.
DEFAULT_OUTPUT_DIR = Path("/Users/pengshengkai/.openclaw/media") ... response = requests.get(url, params=params, timeout=60) ... f.write(response.content)Specify an explicit output path when using the skill and avoid sending sensitive or private topics to external generation services.
The skill may not run until the user manually installs dependencies and configures environment variables, and the registry summary may make setup look simpler than it is.
The registry metadata under-declares requirements that the skill documentation does disclose, so automated preflight checks may not surface the needed Python runtime, packages, or API keys.
metadata: Required env vars: none; Required binaries: none. SKILL.md: Python 3.10+; requests; pillow>=10.0.0; Environment variables: POLLINATIONS_API_KEY, TAVILY_API_KEY
Review README.md or SKILL.md before use, install the listed dependencies deliberately, and confirm the required API keys are expected.