Higgsfield Product Photoshoot
PassAudited by VirusTotal on May 4, 2026.
Overview
Type: OpenClaw Skill Name: higgsfield-product-photoshoot Version: 1.0.0 The skill instructions in `SKILL.md` direct the agent to install a CLI tool using a high-risk `curl | sh` pattern from a remote GitHub repository (`https://raw.githubusercontent.com/higgsfield-ai/cli/main/install.sh`). While this appears to be a standard installation method for the legitimate Higgsfield AI service, the use of unverified remote script execution and the requirement for `Bash` tool access to run CLI commands constitute significant security risks. No evidence of intentional malice or data exfiltration was found, but the bootstrap process and shell dependencies align with the criteria for a suspicious classification.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the CLI is not installed, remote code could be executed on the user’s machine without a pinned version or reviewed package boundary.
The skill has no install spec, but instructs the agent to fetch and execute an unpinned script from the GitHub main branch.
If `higgsfield` is not on `$PATH`, install it: `curl -fsSL https://raw.githubusercontent.com/higgsfield-ai/cli/main/install.sh | sh`
Require explicit user approval before installation, prefer a pinned release or package-manager install, and document the installer in an install spec.
The CLI may use the user’s Higgsfield account, credits, or subscription when generating images.
The skill requires a Higgsfield account session to generate images, which is expected for the provider integration but gives the CLI account-level access.
If `higgsfield account status` fails with `Session expired` / `Not authenticated`, ask the user to run `higgsfield auth login`
Log in only to the intended Higgsfield account and confirm any billing, credit, or privacy implications before use.
Product descriptions or uploaded product photos may be sent to Higgsfield’s backend and image model service.
The skill discloses a provider/backend flow for image generation; product prompts and likely uploaded product images are processed outside the local agent.
The CLI calls a backend prompt enhancer ... then submits to `gpt_image_2` and returns image URLs.
Avoid submitting confidential product images or unreleased campaign details unless the provider’s data handling terms are acceptable.