minds-eye
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This visual-memory skill is coherent and purpose-aligned, but it saves visual content locally and sends images to a configured vision API using local API credentials.
Install only if you want a persistent visual memory. Use it for images and websites you are comfortable storing under ~/.multimodal-memory/ and sending to your configured vision provider, and periodically review or delete saved memories if they contain sensitive content.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your configured API key may be used for image-analysis requests, which can affect account usage, billing, and provider privacy exposure.
The skill uses locally configured provider credentials to call a vision model. This is purpose-aligned, but users should understand that the skill depends on and uses their API credentials.
By default, the skill reads your API key from `~/.openclaw/openclaw.json` ... Any provider with an `apiKey` field ... `OPENAI_API_KEY` environment variable
Use a trusted provider and an appropriately scoped API key, and verify your OpenClaw model configuration before using the skill.
Images, screenshots, charts, or visible text in them may be processed by the configured external AI provider.
The script base64-encodes the image and sends it to an OpenAI-compatible chat completions endpoint for analysis. This is central to the skill's function but means visual content leaves the local machine.
"image_url": {"url": f"data:{mime};base64,{image_data}"} ... f"{base_url.rstrip('/')}/chat/completions" ... "Authorization": f"Bearer {api_key}"Avoid sending highly sensitive images unless your chosen provider and account settings are appropriate for that data.
Saved image descriptions, tags, URLs, and paths may be reused in future sessions and could contain sensitive or misleading content from images or webpages.
The skill intentionally creates persistent cross-conversation memory and instructs the agent to reload the summary later. This is purpose-aligned, but stored visual descriptions should be treated as user data rather than trusted instructions.
All data lives in `~/.multimodal-memory/` ... `memory.md` — human-readable summary ... Read `~/.multimodal-memory/memory.md` at session start
Review or delete ~/.multimodal-memory/ when needed, and treat remembered content as reference data, not as instructions to follow.
Installing the optional website-capture dependency downloads and runs third-party browser tooling on your machine.
Website capture may require a user-run dependency installation and Chromium download. This is disclosed and purpose-aligned, but it adds external software to the local environment.
pip install playwright && python -m playwright install chromium
Install dependencies only in a trusted environment, and prefer your normal package-management controls or a virtual environment.