Skillv1.2.0

ClawScan security

Clawra Selfie (MiniMax) · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 21, 2026, 7:58 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill does what it says (generate images via MiniMax or fal.ai and send them through OpenClaw) but contains inconsistencies and behaviors that merit caution: the registry metadata omits required API keys and the installer will modify your OpenClaw config/persona and may write API keys into your config files.
Guidance: This skill appears to implement its stated feature, but take these precautions before installing or running it: - Verify the source: the package lists a GitHub repo but the 'Source' and 'Homepage' fields are unknown/empty. Prefer installing from a trusted repo or inspect the package contents first. - Inspect files yourself: the installer (bin/cli.js) will copy files into ~/.openclaw, update openclaw.json, write IDENTITY.md, and inject persona text into SOUL.md. If you accept those changes, review openclaw.json and SOUL.md afterward. - Protect API keys: the installer prompts for FAL_KEY and will write it into openclaw.json (persisting the secret). Instead, consider setting FAL_KEY / MINIMAX_API_KEY and OPENCLAW_GATEWAY_TOKEN as environment variables in a secure way and avoid storing long-lived keys in plaintext config files. - Principle of least privilege: if possible, use an API key with minimal scope/quotas for this skill and rotate keys regularly. - Run in a sandbox first: if you want to be safe, install into a separate OpenClaw profile or test environment to observe what files change and how the agent behavior is modified. - If you need metadata accuracy, ask the publisher to update registry metadata to declare required env vars and to document exactly what the installer modifies. Given the mismatch between declared metadata and actual requirements plus the installer modifying agent identity/config files and persisting keys, proceed only after manual review and limiting credential exposure.

Review Dimensions

Purpose & Capability: concernName/description match the implementation: scripts call MiniMax or fal.ai to generate images and then send them via OpenClaw. However the registry metadata claims no required environment variables while SKILL.md and the scripts clearly require FAL_KEY or MINIMAX_API_KEY and (optionally) OPENCLAW_GATEWAY_TOKEN. The CLI/installer also expects the OpenClaw CLI and jq/curl — these are reasonable for the stated purpose, but the metadata omission is an incoherence that could mislead users about required secrets.
Instruction Scope: concernRuntime instructions stay within the stated purpose (generate/edit an image and send it). But the included installer (bin/cli.js) and skill files perform additional actions beyond sending images: they write files into ~/.openclaw (install skill files), inject persona text into SOUL.md, create IDENTITY.md, and update openclaw.json to enable the skill and populate env fields. These file writes and persona injections change agent identity/behavior and are not obvious from the short description — a scope-expansion worth flagging.
Install Mechanism: noteThere is no external 'download and execute arbitrary archive' install URL — the package is distributed as an npm-style package (has bin/cli.js and scripts). The installer copies files into ~/.openclaw and modifies local OpenClaw config. The skill references a reference image on jsDelivr (a common CDN). No obviously malicious external download hosts or URL shorteners are used, but the npx/installer flow will write to disk and change local agent files.
Credentials: concernThe package requires credentials that are proportional to its function (FAL_KEY or MINIMAX_API_KEY for image generation, OPENCLAW_GATEWAY_TOKEN for sending). However those required env vars are not declared in the registry metadata (metadata lists none) — an important inconsistency. Additionally, the installer will write the provided FAL_KEY into openclaw.json (apiKey/env fields) which persists the secret to disk; storing API keys in a config file may increase exposure risk and the installer does this by default.
Persistence & Privilege: concernThe skill does not request 'always: true', but the installer grants persistent presence by enabling the skill in openclaw.json, copying the skill into ~/.openclaw/skills, injecting persona text into SOUL.md, and writing IDENTITY.md. Those changes persist across agent runs and alter agent behavior and identity—reasonable for a feature add, but high-impact and should be made explicit to users and reviewed before installation.