ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

AI Remove Watermark

v0.1.7

Remove watermarks from images through the Airemovewatermark API. Use when an agent needs to remove a watermark from a local image file or remote image URL, p...

1· 78·0 current·0 all-time
by@isees
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name, description, SKILL.md, manifest, and the included Node script all describe the same capability: uploading an image (local or remote) to airemovewatermark, polling task status, and optionally downloading results. The required binary (node) and single required credential (API_KEY) are proportional to this purpose.
Instruction Scope
SKILL.md and the script instruct the agent to read local image files (to upload them), call the remote API, poll async tasks, and optionally download results into a local artifact directory. This behavior is expected for watermark removal, but users should be explicitly aware that local files are uploaded to a remote service and that the script writes downloaded outputs to .openclaw-artifacts/remove-watermark/.
Install Mechanism
No install spec is present (instruction-only with a bundled script), so nothing is downloaded during install beyond the included files. This is low-risk compared to arbitrary remote installs.
Credentials
The manifest and SKILL.md require a single API_KEY (primary credential), which is appropriate. The script also accepts fallback environment variable names (REMOVE_WATERMARK_API_KEY and REMOVE_WATERMARK_BASE_URL) that are not declared in the manifest or SKILL.md; this is a minor inconsistency but not an obvious security problem. No unrelated credentials are requested.
Persistence & Privilege
The skill does not request 'always: true' or other elevated platform privileges, and it only writes artifacts under its own .openclaw-artifacts/remove-watermark/ directory. It does not modify other skills or global agent config.
Assessment
This skill appears to do what it claims: it uploads local images to the airemovewatermark service and returns or downloads cleaned images. Before installing or using it, consider the following: - You must provide an API key (API_KEY). Keep that key secret; the script will send it to the airemovewatermark API. Treat the key like any other service credential. - Local image files are read and uploaded to the remote service as part of processing. Only use this skill with images you own or are authorized to edit. - Downloaded results (when --download true) are saved under .openclaw-artifacts/remove-watermark/ in the current working directory. - The script accepts alternate environment variable names (REMOVE_WATERMARK_API_KEY and REMOVE_WATERMARK_BASE_URL) not declared in the manifest or SKILL.md; this is a minor mismatch you should be aware of but not necessarily malicious. - There is no install-time download of remote code; the included Node script performs network calls during runtime to the declared base URL (https://airemovewatermark.net) and its asset host. If you need greater assurance, review the full script (scripts/remove_watermark.mjs) to confirm behavior for uploads, polling, and downloads before providing credentials.
scripts/remove_watermark.mjs:54
Environment variable access combined with network send.
!
scripts/remove_watermark.mjs:2
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d67b8gkjzxhq1bdjjsesss5838yzh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode
EnvAPI_KEY
Primary envAPI_KEY

SKILL.md

Remove Watermark

Use this skill when the user wants OpenClaw or another claw-style agent runtime to call the Airemovewatermark API directly.

Configuration

Required:

  • API_KEY

Optional:

  • API_BASE_URL

Get it by signing up at https://airemovewatermark.net. Newly registered users can process 3 watermark-removal tasks for free.

Example:

export API_KEY="rwm_xxx"

On Windows PowerShell:

$env:API_KEY = "rwm_xxx"

If API_BASE_URL is not set, the skill uses:

https://airemovewatermark.net

Core workflow

  1. Read the target image path or remote image URL from the user.
  2. Confirm the user wants to process that image through the remote API.
  3. Run remove.
  4. If the task is still running, poll it with task --task-id ....
  5. If the user wants a local copy, rerun with --download true or use the returned output_url.

Bundled script

Use the bundled script for all API calls:

  • scripts/remove_watermark.mjs

Supported commands:

  • credits
  • remove --file <path>
  • remove --image-url <url>
  • task --task-id <id>

Important options:

  • --wait true|false
  • --download true|false
  • --api-key <rwm_xxx>

Execution guidance

  • Prefer remove --file ... for local images.
  • Prefer remove --image-url ... for remote images.
  • Use task --task-id ... only when a previous remove call returns an unfinished task.
  • Treat credits as optional. If it fails because the key is invalid or not authorized, continue only after the user fixes credentials.
  • Downloading is opt-in. When --download true is used, completed jobs are saved under .openclaw-artifacts/remove-watermark/.
  • Prefer the top-level result_file, output_url, result_summary, and status fields in the script output instead of parsing only the raw API payload.

Example commands

node scripts/remove_watermark.mjs credits

node scripts/remove_watermark.mjs remove --file /absolute/path/to/image.png

node scripts/remove_watermark.mjs remove --file /absolute/path/to/image.png --wait true --download true

node scripts/remove_watermark.mjs remove --image-url https://example.com/image.png --wait true

node scripts/remove_watermark.mjs task --task-id task_xxx --download true

Expected result shape

Successful responses return JSON. Pay attention to:

  • status
  • result_file
  • result_summary
  • task_id
  • raw.data.task.status

Notes

  • The API accepts either Authorization: Bearer <key> or x-api-key
  • The script prints structured JSON to stdout for both success and failure
  • The skill targets https://airemovewatermark.net
  • remove --wait true uses short polling and may still return an unfinished task after about 30 seconds; if that happens, continue with task --task-id ...
  • Local files are uploaded to the remote API as part of processing
  • If a job finishes successfully and --download true is used, the script downloads the result into .openclaw-artifacts/remove-watermark/ and exposes the local file path through result_file
  • Output links are temporary and should be saved promptly
  • If the API reports insufficient credits, stop and tell the user clearly
  • credits uses the same API key auth path as the main API, so invalid or revoked keys will fail there too
  • Only use this skill for images you own or are authorized to edit

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…