Stock Images
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: stock-images Version: 1.0.0 The skill is classified as suspicious due to potential prompt injection vectors and the inclusion of `curl` command examples. The `SKILL.md` instructs the agent to 'read `setup.md` silently' on first use, which is a direct prompt injection surface, though the current content of `setup.md` is benign. Additionally, `providers.md` contains `curl` examples for API interaction (e.g., `curl -H "Authorization: YOUR_API_KEY" ...`), which, if executed by the agent without proper sandboxing or user confirmation, could lead to arbitrary command execution and external network calls beyond the skill's stated purpose. While there is no clear evidence of intentional malicious behavior like data exfiltration or persistence, these elements represent significant vulnerabilities in the agent's execution model.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Image providers may see the search terms and requested sizes used to generate stock-photo URLs.
The skill discloses that third-party image services receive requested dimensions and optional search terms. This is purpose-aligned for retrieving image URLs, but the terms may reveal project context.
**Data that leaves your machine:** - HTTP requests with dimensions and optional search terms
Use generic search terms for sensitive projects and review each provider's terms or privacy practices if the image request is confidential.
Saved preferences could persist across sessions and influence future stock-image recommendations.
The skill includes an optional local memory file for saved image preferences. The artifact clearly makes this user-directed, but it is still persistent context that can affect future choices.
Create `~/stock-images/memory.md` if user wants to save preferences ... Only create memory.md if they ask for saved preferences or consistent style guidance.
Only create the memory file if you want persistent preferences, avoid storing sensitive project details, and delete or edit the file if preferences change.
If you choose to use provider APIs, the API key may authorize requests against your provider account or quota.
The provider reference documents optional API-key workflows for stock-photo APIs. This is expected for those services and no storage or leakage is shown, but keys grant account/quota access.
Pexels ... **API (requires free key):** ... curl -H "Authorization: YOUR_API_KEY"
Use provider keys only when needed, avoid pasting real keys into shared chats or files, and revoke any key that may have been exposed.