Clawra Selfie (MiniMax)
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its image-generation purpose, but it includes unsafe shell-command construction and an installer that persistently changes the agent’s identity/persona.
Install only if you are comfortable giving the skill provider API keys and permission to send messages through OpenClaw. Prefer a patched version that avoids shell interpolation, documents credentials in metadata, and asks before changing SOUL.md or IDENTITY.md.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or malformed channel name or caption could potentially execute commands on the user’s machine if the TypeScript path is used.
The channel, message, and media values are inserted into a shell command string and executed, so crafted input containing shell metacharacters could run unintended commands.
const cmd = `openclaw message send --action send --channel "${message.channel}" --message "${message.message}" --media "${message.media}"`; await execAsync(cmd);Replace exec with spawn/execFile using an argument array, validate channel and caption inputs, and avoid passing user-controlled text through a shell.
Installing the package can persistently alter how the agent presents itself and responds in future sessions.
The installer writes persistent agent identity context, including a new Clawra persona, so the skill can change future agent behavior beyond the immediate image-generation task.
const IDENTITY_MD = path.join(OPENCLAW_WORKSPACE, "IDENTITY.md"); ... fs.writeFileSync(IDENTITY_MD, identityContent);
Require explicit confirmation, create backups, use clearly marked append-only blocks, and document persona/identity changes before installation.
These keys can incur provider usage and allow the skill to send messages through the local OpenClaw gateway.
The skill needs provider credentials and a gateway token to generate images and send messages, but registry metadata says no required environment variables or primary credential.
FAL_KEY=your_fal_api_key ... MINIMAX_API_KEY=your_minimax_api_key ... OPENCLAW_GATEWAY_TOKEN=your_token
Use least-privilege tokens where possible, keep keys in environment/config stores, and review the OpenClaw config after installation.
The agent can send images and captions to Discord, Telegram, WhatsApp, Slack, or similar channels configured through OpenClaw.
Posting generated images to messaging channels is the core purpose, but it is still a mutating external action that should be user-directed.
openclaw message send --action send --channel "<TARGET_CHANNEL>" --message "<CAPTION_TEXT>" --media "<IMAGE_URL>"
Only allow sending after the user has clearly specified or approved the destination channel and caption.
Using an unpinned latest installer means future package changes could affect what runs during setup.
The quick-start path runs the latest remote npm package installer, which then copies files and updates OpenClaw configuration.
npx clawra@latest
Pin a reviewed version, verify the package source, and prefer a registry install path that declares its credentials and install behavior.