Skillv1.2.0

ClawScan security

Kokonna Frame · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 13, 2026, 2:22 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions match its stated purpose (upload images and query KoKonna frames) with no obvious overreach, but there are small metadata inconsistencies and an unfamiliar API host you may want to verify before use.
Guidance: This skill appears to do what it says: resize images and POST them to a KoKonna API using per-device API keys stored in ~/.openclaw/skills/kokonna-frame/config.yaml. Before installing: (1) verify the API base URL (DEFAULT_API_BASE_URL is https://api.galaxyguide.cn/openapi) — confirm this is the official KoKonna endpoint for your device or change it in config.yaml; (2) correct or double-check the registry metadata vs the manifest (the skill actually requires a local config file even though registry metadata omitted it); (3) only provide API keys you obtained from a trusted source (kokonna.art) and avoid reusing high-privilege keys; (4) inspect or run the Python scripts in a controlled environment if you are unsure (they only use requests/Pillow and POST base64 image payloads); (5) prefer installing from a verifiable upstream (official repo or vendor) rather than an unknown source. If you want higher assurance, ask the author for a homepage/repo or for confirmation that api.galaxyguide.cn is the official API host.

Review Dimensions

Purpose & Capability: okName/description (control e-ink frames: upload images, query device info) align with the included Python code and CLI scripts. The code only talks to a single API (upload/device) and expects per-device API keys in a local config file. However, registry metadata omitted any required config path while manifest/README/SKILL.md/code all require ~/.openclaw/skills/kokonna-frame/config.yaml — this metadata mismatch is inconsistent.
Instruction Scope: okSKILL.md instructs placing API keys in a local config file and shows CLI/Python usage. Runtime instructions and scripts only read that config file and the provided image path, resize the image, and POST base64 data to the declared API endpoints. There are no instructions to read unrelated local files, environment secrets, or to send data to other endpoints.
Install Mechanism: okThere is no install spec; the skill is instruction + source files. Dependencies are only requests and Pillow (declared in requirements.txt and SKILL.md). No arbitrary downloads or extract steps are present.
Credentials: noteThe code requires per-device API keys (stored in config.yaml) which is proportional to the function. No environment variables or unrelated secrets are requested. Note: the registry metadata claimed 'Required config paths: none', which contradicts the actual code and SKILL.md that require a config file — this should be fixed/verified.
Persistence & Privilege: okSkill does not request permanent/global privileges (always: false). It does not modify other skills or system settings. It will run with normal autonomous invocation behavior unless the platform or user restricts it.