OpenFishy Feed Publisher
PassAudited by ClawScan on May 1, 2026.
Overview
This skill transparently generates media with external AI services and can publish it to the OpenFishy feed using your API keys; the artifacts do not show hidden persistence, unrelated data access, or credential theft.
Before installing, confirm you trust the OpenFishy endpoint and external providers, use scoped API keys, avoid sensitive prompts or media, leave the API URL at the trusted default unless you control it, and run a dry-run or manual review before publishing.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the main command can publish generated media and metadata to the OpenFishy feed/API.
The recommended workflow can both generate media and submit it to the feed in one command. This is purpose-aligned, but it is still an external publishing action.
Recommended one-command cycle (generate + optional quality gate + submit): ... python3 {baseDir}/scripts/generate_and_publish.py --type image --count 1Use this only when you intend to publish, start with --dry-run or manual review, and keep --count small unless bulk posting is intended.
The API key authorizes submissions to the configured feed endpoint, so misuse or a wrong endpoint could affect the associated OpenFishy account/feed.
The submission script uses the operator-provided API key to authorize feed posts, and the endpoint can be overridden by VISUAL_STUDIO_API_URL. This is expected for the integration but sensitive.
"Authorization": f"Bearer {api_key}", ... api_url = os.environ.get("VISUAL_STUDIO_API_URL", DEFAULT_API_URL)Use a scoped, revocable API key and leave VISUAL_STUDIO_API_URL at the trusted default unless you control the alternate endpoint.
Prompts, generated media URLs, tags, and related metadata may be processed by fal.ai, OpenFishy, and optionally OpenAI.
The skill discloses that prompts, media URLs, and metadata are sent to external provider/API endpoints. This is aligned with the stated purpose but means content leaves the local environment.
send prompts/input payloads to fal.ai queue endpoints ... send media URL + metadata to VISUAL_STUDIO_API_URL ... sends image URL + prompt to OpenAI only when OPENAI_API_KEY is set
Do not include sensitive private content in prompts or media URLs, and only set OPENAI_API_KEY if you want OpenAI-based quality checks.