ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Face Transform

v1.0.0

Analyze and transform faces via AceDataCloud API. Use when detecting face keypoints, beautifying portraits, aging/de-aging faces, swapping genders, replacing...

0· 70·0 current·0 all-time
by@germey
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md describes face analysis and transformations (beautify, age, gender-swap, swap, liveness) and the HTTP endpoints shown are consistent with that purpose. Requesting an API token is appropriate for a hosted Face API. However, the skill has no homepage, no source attribution, and the registry metadata lists no required env vars despite the instructions requiring a token — that mismatch reduces confidence in provenance and metadata quality.
Instruction Scope
The instructions are limited to calling AceDataCloud HTTPS endpoints and using an ACEDATACLOUD_API_TOKEN; they do not instruct reading arbitrary local files or unrelated credentials. Payloads are image_url-based POSTs. There is no instruction to exfiltrate unrelated data, but the skill will send image URLs (and thus image data) to an external service.
Install Mechanism
This is an instruction-only skill with no install steps and no code files — minimal disk or install footprint. That lowers risk from arbitrary code installation.
!
Credentials
The SKILL.md explicitly requires ACEDATACLOUD_API_TOKEN, but the declared registry metadata lists no required environment variables or primary credential. That inconsistency is a red flag (metadata mismatch). The single token itself is proportionate to the skill's purpose, but the omission in metadata and lack of clarity about token scope or creation are concerning.
Persistence & Privilege
The skill does not request always: true, does not modify other skills, and has no install-time persistence. It uses the platform default allowing autonomous invocation; combine that with the external API access if you plan to let agents run autonomously.
What to consider before installing
What to check before installing: - Metadata mismatch: the SKILL.md requires ACEDATACLOUD_API_TOKEN but the registry metadata lists no required env vars — ask the publisher to correct the metadata and document token creation/scope. - Provenance: there is no homepage or source repo. Verify who runs "acedata.cloud" and review their privacy policy and terms (images with faces are highly sensitive data). - Data flow: using the skill sends image URLs (and likely the image bytes) to api.acedata.cloud. Do not provide images of real people, minors, or any sensitive subjects unless you trust the service and have consent. - Token security: store ACEDATACLOUD_API_TOKEN in a secure secret store, limit its permissions, and rotate/revoke it if compromised. - Autonomous use: if you allow autonomous agent invocation, the agent could call the API without further prompts — consider disabling autonomous invocation or restricting the skill if you don't want agents to upload images automatically. - Validation: request from the publisher the API documentation, privacy policy, and an explicit statement of what the token scopes and retention/processing policies are. If you cannot verify the provider, avoid using confidential or real-person images with this skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk972dfnsc9fkmygcsdc2217yq183d2je

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments