ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

emo-img — Give Your AI Emotional Expression

v1.0.0

Send sticker/emoji images (表情包) in chat. Search local collection or online (Tenor), download favorites, and send via any channel (WhatsApp, Discord, iMessage...

1· 273·1 current·1 all-time
byTianyu Jiang@horisky
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (sticker search, download, send) matches the included script and SKILL.md. Required binary is python3 only. Declared overridable STICKER_DIR and optional TENOR_API_KEY are appropriate for a sticker manager.
Instruction Scope
Instructions limit actions to searching local index, calling Tenor, downloading images, and sending media via the agent's message tool. One minor mismatch: SKILL.md claims the agent will "auto-detect" channel context and "works for ALL channels" — those behaviors are provided by the agent/platform, not the script. Otherwise the runtime instructions do not request unrelated files, credentials, or system state.
Install Mechanism
Instruction-only install (no external installers) and a small python script are included. No network-based install or archive extraction is performed at install time.
Credentials
No sensitive credentials are required. The script optionally reads TENOR_API_KEY and STICKER_DIR which are relevant to its purpose. Minor concerns: the script embeds a Tenor demo API key (non-secret fallback) and, as a last resort, it creates an SSL context that disables certificate verification (ctx.verify_mode = CERT_NONE) — this weakens TLS checks for downloads and could allow MITM/tampered downloads if a host has no available CA bundle.
Persistence & Privilege
always:false and the script only writes inside its own sticker directory (~/.openclaw/stickers by default or STICKER_DIR). It does not modify other skills or system-wide agent configuration.
Assessment
This skill appears to do what it says: search local stickers, query Tenor, download images, and send them via the agent. Before installing, note: - The skill will create and write files to ~/.openclaw/stickers (or STICKER_DIR) — pick a directory you are comfortable with. - Downloads come from external URLs (Tenor or user-supplied). Only download/trust images from sources you trust. Maliciously crafted image files can be a vector for exploits in vulnerable image parsers—use caution before opening or forwarding unknown files. - The script falls back to disabling SSL verification if it can't find a CA bundle; this increases the risk of tampered downloads on hostile networks. If possible, ensure a valid CA bundle is available or run with certifi installed. - If you have concerns about network calls or storing external content, do not enable autonomous invocation or set the skill to always-on; instead run it manually and review downloads before sending. - Optionally set TENOR_API_KEY to your API key to avoid demo rate limits, and set STICKER_DIR to a location you control. Overall the skill is coherent and proportionate for its stated function; the primary risks are typical for any tool that downloads and stores external media.

Like a lobster shell, security has layers — review code before you run it.

chatvk974sr1trzak2mgw4ty6nbr5hh82b2h8emojivk974sr1trzak2mgw4ty6nbr5hh82b2h8emotional-aivk974sr1trzak2mgw4ty6nbr5hh82b2h8latestvk974sr1trzak2mgw4ty6nbr5hh82b2h8stickervk974sr1trzak2mgw4ty6nbr5hh82b2h8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

😎 Clawdis
Binspython3

Comments