TryHair AI
v0.1.4AI Hairstyle Try-On & Face Shape Analysis – Upload a photo to analyze face shape and instantly try recommended hairstyles. UID required.
⭐ 0· 99·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description match the implementation: the CLI script accepts an image and UID and POSTs to tryhair.ai endpoints to run face-shape analysis or generate hairstyle previews. Requiring a UID and an internet connection is expected for this purpose.
Instruction Scope
The runtime will accept local files, base64 blobs, or arbitrary image URLs, then fetch and upload the image to external APIs (default: https://tryhair.ai). That behavior is reasonable for an image-processing skill, but it can lead to unintended data exfiltration if an image_url points at internal resources or sensitive endpoints. The SKILL.md also permits reusing prior-session images and instructs saving generated images locally (user must delete them manually) — both are privacy-relevant and should be made explicit to users.
Install Mechanism
This is instruction-only (no installer). There is a bundled Python script that depends on the 'requests' library, but the skill manifest does not declare dependencies or provide an install step. That mismatch can cause runtime failures if 'requests' is not available.
Credentials
No sensitive environment variables are required by the registry metadata, but the code reads optional endpoint env vars (OPENCLAW_TRYHAIR_API / OPENCLAW_FACESHAPE_API). The primary runtime credential is a user-supplied UID (16 chars) which is used for account/session management; requiring a UID is proportional to the stated purpose, but a UID can act like an authentication token and should be treated sensitively. The skill uploads user images to an external service (tryhair.ai) as part of normal operation.
Persistence & Privilege
The skill does not request persistent platform privileges or 'always' inclusion. It writes generated images to the current working directory (output/) and does not modify other skills or system configuration. The file-writing behavior is limited to created output images.
Assessment
This skill appears to implement what it claims, but review these before installing: (1) It uploads user images (and images fetched from URLs) to tryhair.ai — do not upload photos you consider highly sensitive. (2) The UID you supply functions as an account identifier/token; only share it if you trust the service. (3) The script fetches arbitrary image URLs — avoid passing URLs that point to internal network resources (risk of leaking internal data). (4) Ensure the runtime has the Python 'requests' package, or the script will fail. (5) Generated images are saved to an 'output' folder; delete them if you want them removed. If you need higher assurance, ask the publisher for a dependency list, confirm the API endpoints are official, or run the code in an isolated environment.Like a lobster shell, security has layers — review code before you run it.
latestvk976vj5f9arjhxmdv0vgpyj1sn83n7mx
License
MIT-0
Free to use, modify, and redistribute. No attribution required.