design pick
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a simple local food-collage generator with no evidence of credential access, network use, persistence, or hidden behavior.
This skill looks benign for local collage generation. Before installing, note that it runs a Python script, writes fixed collage PNG files, and appears to require Pillow plus local input images that are not bundled in the manifest.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or using the skill means allowing a local Python image-processing script to run when invoked.
The usage instructions direct running a local Python script. This is purpose-aligned for generating image collages and no hidden shell, network, or destructive behavior is shown.
python3 /root/.openclaw/workspace/skills/design-pick/scripts/generate_collage.py
Use it only when you intend to generate collages, and run it in a normal workspace where creating or overwriting the fixed output PNG names is acceptable.
The skill may not work unless the expected dependency and image files already exist, and any manual dependency or asset sourcing would be outside the reviewed package.
The script requires the Pillow library and local image assets under collages/<theme>/, while the supplied install metadata has no install spec and the manifest only includes SKILL.md and the script.
from PIL import Image, ImageDraw, ImageFont, ImageOps
...
items[letters[i]] = (label, f"collages/{theme}/{letters[i]}.png")If you add Pillow or image assets yourself, use trusted sources and keep them scoped to the expected collage directories.