openclaw-visual
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill’s image-generation purpose is clear, but its renderer accepts unescaped content and loose file paths, which could expose private chats/logs or run browser code during image creation.
Use this skill only if you are comfortable installing npm/Chromium dependencies and letting it read the specific journal or chat content you request. Preview generated images before sharing, and ask the maintainer to add HTML sanitization, remove full-content logging, whitelist templates, and restrict output paths before broad use.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted message, journal entry, or chat line could make the renderer execute browser JavaScript or load remote resources while creating the image.
Template variables are inserted without HTML escaping and then rendered in Chromium with sandboxing disabled, so message/log/chat content can become active HTML or JavaScript during image generation.
return data[key] !== undefined ? data[key] : ''; ... await page.setContent(html, { waitUntil: 'networkidle' }); ... args: ['--no-sandbox', '--disable-setuid-sandbox']Escape all text variables by default, sanitize any fields that intentionally allow HTML, disable JavaScript and unnecessary network access during rendering, and avoid no-sandbox mode unless the renderer is isolated.
Private journal entries, chat summaries, or message text may be retained in logs even if the user only expected an image file.
The script prints all parsed options before parsing content; because options includes the content JSON, private text being rendered can be written to stderr/runtime logs.
const options = parseArgs(); console.error('Options:', JSON.stringify(options, null, 2)); ... contentData = JSON.parse(options.content);Do not log full content by default; log only non-sensitive metadata such as template name and output path, or redact/truncate content in debug mode.
If the agent is influenced to use unusual arguments, it could render an unintended .html file or overwrite a file the user did not mean to change.
CLI arguments can set template and output paths without a whitelist or safe-directory check; template names are joined into a file path and output paths are passed directly to the renderer.
options[key] = value; ... const templatePath = path.join(__dirname, '..', 'assets', 'templates', `${templateName}.html`); ... path: outputPathAllow only documented template names, resolve and verify template paths stay inside assets/templates, restrict output to a dedicated Visuals directory, and prompt before overwriting existing files.
Generated images may include private diary or conversation details and may be shared into chat tools if the user asks.
The documented workflow reads local journal files and OpenClaw session history to build images; this is aligned with the feature but involves sensitive local context.
读取 `~/PhoenixClaw/Journal/daily/YYYY-MM-DD.md` ... 扫描 `~/.openclaw/sessions/*.jsonl`
Confirm the date range and source files, preview or redact sensitive details before sending, and avoid broad session scans when selected text would be enough.
Installing the skill may download and run npm package setup and browser components.
The skill documents npm dependency installation and optional Chromium installation even though registry metadata lists no install spec; this is normal for rendering but should be visible to users.
cd skills/openclaw-visual ... npm install ... npm install playwright ... npx playwright install chromium
Declare the npm/Chromium setup in metadata, use the included lockfile with a controlled install, and review dependency provenance before use.