Skillv0.0.1

ClawScan security

openclaw-visual · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 3:42 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill generally does what it claims (generate images from OpenClaw content) but its runtime instructions read user files in home directories and reference config paths that are not declared in the skill metadata — a mismatch that has privacy implications and should be reviewed before install.
Guidance: What to consider before installing: - Privacy: The skill's instructions explicitly read local files (~/PhoenixClaw/Journal/... and ~/.openclaw/sessions/*.jsonl). Those files may contain sensitive messages or personal data. If you don't want the skill to access those locations, avoid giving it filesystem access and instead pass content explicitly in the request. - Metadata mismatch: The skill metadata declares no required config paths, but the SKILL.md and docs expect specific files in your home directory. Treat that as a red flag — ask the author or inspect the code to confirm what will be read. - Dependencies: Installation uses npm packages from the public registry and optionally Playwright (large download + Chromium). Review package.json/package-lock and consider running npm install in a sandboxed environment (container/VM) and run npm audit before use. - Runtime flags: The renderer runs Chromium/Playwright with --no-sandbox which reduces process isolation; run in a controlled environment if you plan to generate untrusted HTML. - Minimizing risk: Instead of letting the skill auto-scan your session files, provide only the content you want rendered (JSON) to the script. If you must allow local file reads, inspect the code (scripts/generate-image.js and templates) yourself — there are no hidden network exfiltration endpoints in the included files, but npm packages execute code during install so verify them. - If unsure: run the skill in an isolated environment, avoid installing Playwright unless needed, and review or restrict access to ~/.openclaw and PhoenixClaw folders before enabling autonomous invocation.

Review Dimensions

Purpose & Capability: noteThe name/description (convert OpenClaw logs/chats/messages into images) matches the included templates and the image-generation script. However the SKILL metadata declares no required config paths or credentials while the README/instructions explicitly expect access to local paths (e.g. ~/PhoenixClaw/Journal/daily/YYYY-MM-DD.md and ~/.openclaw/sessions/*.jsonl and ~/.openclaw/visual/config.yaml). The filesystem access is coherent with the feature but is not declared in the metadata (mismatch).
Instruction Scope: concernSKILL.md and references explicitly instruct the agent to read local user files (journal markdown files and session JSONL chat logs), parse frontmatter and session data, and then generate images. That behavior is expected for the stated purpose, but it gives the skill broad read access to potentially sensitive local data. The instructions also suggest auto-switching to Playwright for '精美/复杂' renders and to install dependencies — these steps are explicit and require care. The metadata does not declare these config paths, so the agent/user may not realize the extent of local data access.
Install Mechanism: noteThis is an instruction-only skill (no platform install spec) but includes package.json and a package-lock, so it expects an npm install in the skill folder. Dependencies (node-html-to-image, optional playwright) are from the public npm registry — typical but you should review package-lock and be aware that optional Playwright installation downloads a Chromium binary. No remote/personal URLs or extract-from-arbitrary-host behavior was observed in the included files.
Credentials: noteThe skill requests no environment variables or credentials, which is reasonable. However it references and expects local config at ~/.openclaw/visual/config.yaml and direct access to user home files; those file-path requirements were not listed in the declared metadata. Also the SKILL.md encourages reading ~/.openclaw/sessions/*.jsonl (chat history), which can contain sensitive data — this is functionally necessary but sensitive, so treat it as a privacy concern.
Persistence & Privilege: okalways is false (no forced global inclusion). disable-model-invocation is false (the skill may be invoked autonomously, which is standard). There is no evidence the skill modifies other skills or system-wide settings. Note: autonomous invocation combined with the ability to read local chat logs increases blast radius, but that is a platform-wide default and not unique to this skill.