ClawHub

Clawra Selfie (MiniMax)

Security checks across malware telemetry and agentic risk

Overview

The skill’s image-generation purpose is real, but it needs review because it can change persistent agent identity/configuration, post to external channels, and includes a command-injection-prone TypeScript path.

Review before installing. Use it only in a controlled OpenClaw environment, avoid sensitive prompts or private channels, rotate any fal.ai key after testing if the config may be shared, and inspect or back up IDENTITY.md, SOUL.md, and openclaw.json before running the installer. Do not use the TypeScript CLI path until it replaces shell exec with argument-safe execution or a direct API call.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (21)

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
Granting `Bash(npm:*)` and `Bash(npx:*)` gives broad package-management and arbitrary script execution power that exceeds what is needed for calling a fixed image API and sending via OpenClaw. Excessive tool scope increases the blast radius if the skill is misused or its inputs become attacker-controlled.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The installer performs persistent modifications to workspace identity and persona files that go beyond the stated purpose of enabling selfie/image generation. This is dangerous because it silently changes long-term agent behavior and user-facing identity, creating unauthorized scope expansion and potential social-engineering or trust-manipulation risk.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The code overwrites IDENTITY.md with a fixed roleplay identity ('Clawra', 'Girlfriend', affectionate persona), which is unrelated to the narrow operational need of generating images. Persistently redefining agent identity can alter how the agent presents itself across all interactions, potentially misleading users and undermining expected behavior boundaries.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The installer injects broad conversational guidance into SOUL.md, teaching the agent to act as if it has a physical appearance and to respond creatively to non-image prompts. This expands behavior beyond image generation into persistent persona shaping, which can affect future conversations in ways the user did not explicitly request.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code constructs a shell command with user-controlled channel, message, and media values interpolated directly into a command string and executes it with exec(). An attacker can break out of the quoted arguments using shell metacharacters or embedded quotes and achieve arbitrary command execution on the host running the skill.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill invokes the OpenClaw CLI through a shell using child_process.exec, which unnecessarily introduces shell execution into a workflow that could be handled with a direct API call. Because this expands the attack surface and combines with user-influenced arguments, it creates a real command-injection pathway rather than merely an implementation detail.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The README advertises sending generated photos across messaging platforms and using external image-generation services, but does not warn users that prompts, generated media, and possibly metadata will be transmitted to third-party services. In a messaging-agent context, that omission can cause operators to enable the skill without understanding data-flow, privacy, and compliance implications, increasing the chance of inadvertent disclosure of sensitive content.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are broad and overlap with ordinary conversation like 'how are you?' or 'where are you?', which can cause accidental activation of image generation and outbound messaging. In this skill's context, unintended activation is more dangerous because it can send generated media to external channels.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill description does not prominently warn that generated images may be transmitted to third-party messaging platforms. Lack of clear disclosure undermines informed consent and increases the chance users trigger external sharing without realizing content will leave the local environment.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The installer overwrites workspace files such as IDENTITY.md without an upfront warning, backup, or explicit confirmation. Silent destructive changes to user-controlled files can cause loss of prior configuration and unexpected agent behavior, especially in a shared or carefully tuned environment.

Missing User Warnings

High
Confidence
99% confidence
Finding
The installer stores the fal.ai API key in plaintext in openclaw.json, including duplicating it under both apiKey and env.FAL_KEY, without clearly warning the user. Plaintext secret storage increases the chance of credential disclosure through local compromise, backups, logs, or accidental sharing of the configuration directory.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The script transmits user-supplied prompts and API-backed requests to third-party services, but it gives only minimal usage comments and no explicit runtime notice about data leaving the host. This can cause unintentional disclosure of sensitive prompt content or metadata when users assume the skill operates locally.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill sends generated content and captions to a messaging channel without an explicit warning or confirmation, which increases the risk of accidental delivery to unintended recipients. In automation contexts, this can leak sensitive prompts, generated media, or misleading content into external communications channels.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The script automatically posts AI-generated content to a user-supplied channel with no confirmation, dry-run mode, or validation barrier. In agentic or automated contexts, this can cause unintended message delivery, spam, reputational harm, or posting to sensitive channels if upstream inputs are wrong or manipulated.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Untrusted input reaches shell execution without confirmation or sanitization, creating a command-injection path. Because this skill is likely to process externally supplied prompt/channel/caption values, the context makes the issue more dangerous: a messaging helper should not be able to execute arbitrary local commands.

Vague Triggers

High
Confidence
95% confidence
Finding
The invocation examples are broad enough to match ordinary conversation such as 'how are you doing?' or 'send me a pic', which could trigger image generation and message sending without the user clearly intending to invoke this skill. In this skill's context, accidental activation is especially risky because it can send content to external messaging channels and disclose prompts/images to third-party services.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill description does not prominently warn that user prompts and a reference image are transmitted to external providers and that resulting images may be sent to third-party messaging platforms. This weakens informed consent and increases the chance users unknowingly trigger data sharing outside the local environment.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script posts generated media to a messaging channel immediately, with no confirmation step, dry-run mode, or visibility control. In an agent/automation context this can cause unintended data disclosure, spam, or posting to the wrong recipient/channel if the prompt, caption, or channel are supplied incorrectly or influenced by another component.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
User-controlled fields such as channel and message are interpolated directly into a command string passed to exec, so crafted input containing shell metacharacters or quote breaks can execute arbitrary commands on the host. In this skill's context, those values come from CLI/module inputs, making the injection path straightforward and highly dangerous.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger conditions are overly broad because they activate on common conversational prompts like 'what are you doing?' or 'where are you?', which can cause the agent to generate and send images when the user did not explicitly request external image generation. In this skill, that behavior is more dangerous because activation leads to outbound use of third-party image services and messaging-channel delivery, increasing the chance of unintended data sharing, surprise actions, or abuse through prompt steering.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill states that images are generated via external providers but does not warn users that their request content and related prompt data will be sent to third-party image-generation services. In context, this is a real privacy and transparency issue because users may share sensitive context in selfie or situational prompts, and the skill can then transmit that information off-platform without informed consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal