Skillv0.1.4

ClawScan security

Showmeai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 19, 2026, 9:19 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, declared environment variables, and runtime instructions are consistent with a Showmeai image/video/3D generation client and do not request unrelated credentials or elevated privileges.
Guidance: This skill appears coherent for generating images, videos, and 3D models via the Showmeai API. Before installing, consider: (1) it requires a Showmeai API key and base URL—these credentials will be sent to an external service, so only use a key you trust; (2) any local images you pass (or URLs you reference) are uploaded or embedded (base64) in requests—don’t send sensitive images you don’t want transmitted; (3) saved files go under ~/.openclaw/media or ~/.openclaw/oss or any out-dir you specify—check filesystem permissions; (4) SKILL.md mentions ~/.openclaw/openclaw.json but the scripts read environment variables only, so ensure Showmeai_API_KEY and Showmeai_BASE_URL are actually exported in your environment; (5) network access is required. If you are comfortable with those tradeoffs and trust the Showmeai service, the bundle is consistent with its stated purpose.

Review Dimensions

Purpose & Capability: okName/description match the actual behavior: scripts call Showmeai endpoints for images (/images/*), video (Seedance task endpoint), and image-to-3D tasks. Requested env vars (Showmeai_API_KEY, Showmeai_BASE_URL) and required binary (python3) are appropriate and proportional.
Instruction Scope: noteSKILL.md instructs running the included Python scripts which only read the declared env vars and media files. Scripts will upload local images (or embed them as base64) and may download remote images when a URL is supplied—this is expected for reference/edit/video workflows. Minor inconsistency: SKILL.md suggests config via ~/.openclaw/openclaw.json or .env, but the scripts only read environment variables (they do not parse openclaw.json), so the user/installer must ensure env vars are set.
Install Mechanism: okNo install spec; this is an instruction + script bundle that runs with the system python. There are no downloads from third-party URLs or package managers during install, so disk-write/remote-install risk is low.
Credentials: okOnly Showmeai_API_KEY and Showmeai_BASE_URL are required and declared; they are justified by the skill's operation. The primary credential is Showmeai_API_KEY. The scripts do not request other unrelated secrets or config paths.
Persistence & Privilege: okThe skill is not forced-always, does not modify other skills or system settings, and only writes media to user-level directories (~/.openclaw/media or ~/.openclaw/oss) when saving. Autonomous invocation is allowed (platform default) but not combined with other concerning flags.