Back to skill
Skillv1.2.1
ClawScan security
Dream Avatar · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 10, 2026, 5:55 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally coherent for creating talking-avatar videos: it only requires a DREAM_API_KEY and describes the expected upload → generate → poll flow, but it will upload local files to third-party storage and asks you to store your API key in your OpenClaw config (so consider privacy and provenance before use).
- Guidance
- This skill appears to do what it says, but before installing: (1) confirm you trust the remote service (api.newportai.com / Dreamface) because local images and audio will be uploaded to third-party storage; (2) be aware the SKILL.md suggests writing your DREAM_API_KEY into OpenClaw config (~/.openclaw/openclaw.json), which persists the secret — consider using a scoped or short-lived key and protect the config file; (3) avoid uploading sensitive or private images/audio (faces, IDs, medical or legal recordings) unless you accept that they will be stored/processed externally; (4) provenance is limited (no homepage/source details), so if you need stronger assurance verify the API endpoints and vendor independently and consider revoking the API key after testing.
Review Dimensions
- Purpose & Capability
- noteThe name/description (DreamAvatar video generation) aligns with the runtime instructions (get upload policy, upload image/audio to OSS, call image_to_video API, poll for result). Required env var DREAM_API_KEY is appropriate. Minor provenance concern: skill source/homepage are missing (no homepage URL and source 'unknown'), so you cannot easily verify the publisher or service beyond the API domains referenced in the SKILL.md.
- Instruction Scope
- noteSKILL.md explicitly instructs the agent to upload local image/audio files to the service's OSS (third-party storage) and to poll the remote API for results. It also includes CLI instructions that write the API key into the OpenClaw config (~/.openclaw/openclaw.json). These behaviors are expected for this functionality but have privacy implications (your files and the key are sent/stored externally). The instructions do not ask the agent to read unrelated files or other environment variables.
- Install Mechanism
- okThis is an instruction-only skill with no install spec and no bundled code, so nothing is written or executed on install by the skill itself. That is the lowest-risk install profile.
- Credentials
- noteOnly DREAM_API_KEY is required and declared as the primary credential — this matches the documented API usage. Be aware the SKILL.md recommends storing the key in OpenClaw config or ~/.openclaw/openclaw.json, which persists the secret on disk; consider the security of that storage and prefer short-lived or scoped keys if possible.
- Persistence & Privilege
- okalways is false and the skill does not request elevated persistent privileges or to modify other skills or system-wide settings beyond storing its own env entry. Autonomous invocation is allowed (platform default) but not a new privilege introduced by this skill.