Skillv1.0.0

ClawScan security

Agent Postcard · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 26, 2026, 9:59 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill implements its stated postcard functionality, but metadata and runtime behavior are inconsistent and it will read local persona files and send that text to an external API (potential privacy/exfiltration risk).
Guidance: This skill appears to do what it says (create and download postcards), but there are important issues to consider before installing or using it: - Metadata mismatch: The registry metadata does not list TURAI_API_KEY or OPENCLAW_WORKSPACE even though the script and SKILL.md require TURAI_API_KEY and the script reads OPENCLAW_WORKSPACE. Confirm the skill's declared requirements before providing credentials. - Persona privacy / data exfiltration: By default the agent will read SOUL.md or IDENTITY.md (and ../SOUL.md) and include extracted persona text in the request body sent to turai.org. If those files contain personal, proprietary, or sensitive information, that content will be transmitted to an external service. Consider removing or sanitizing persona files or running the skill in a controlled environment. - Trust the API endpoint: The skill sends data to https://turai.org. Only supply your TURAI_API_KEY to this skill if you trust that service and the key's permissions. Consider creating a scoped or expendable key for testing. - Path scope: The script will search parent directories; if you need to restrict file access, run the script from a sandboxed workspace or pass an explicit --selfie prompt to avoid auto-reading persona files. - Suggested mitigations: Update registry metadata to declare TURAI_API_KEY as a required credential; document OPENCLAW_WORKSPACE; add a clear consent prompt before sending persona content; or change the script to redact or summarize persona text locally rather than sending raw content. If you cannot validate the upstream service or update the code, run the script only in an isolated environment and avoid exposing sensitive persona files or production API keys.

Review Dimensions

Purpose & Capability: noteThe name/description match the included script: it calls a Turai postcard API to generate and download an image. However the registry metadata claims no required environment variables or primary credential, while both SKILL.md and the script clearly require a TURAI_API_KEY. This metadata omission is an inconsistency.
Instruction Scope: concernThe SKILL.md and script instruct the agent to auto-read persona files (SOUL.md / IDENTITY.md, and even ../SOUL.md) and embed extracted persona text into the selfiePrompt sent to https://turai.org. That means local persona content (which may contain private or identifying information) is transmitted to a third party without any granular consent or redaction. The script will also accept an explicit --persona path or default to parent directory, enabling reading outside the workspace.
Install Mechanism: okNo install spec or third‑party package downloads are present; this is an instruction/script-only skill and does not write additional code to disk during install, which is low-risk from an install mechanism perspective.
Credentials: concernThe skill requires a Turai API key at runtime (TURAI_API_KEY) but the registry metadata declares no required env vars or primary credential — a mismatch that could mislead users. The script also respects OPENCLAW_WORKSPACE (not documented in SKILL.md), which affects where it looks for persona files. Requesting an external API key is proportionate to the advertised purpose, but the undocumented/missing env-var declarations and the reading/transmission of local persona files are problematic.
Persistence & Privilege: okThe skill does not request persistent presence (always is false), does not modify other skills or global agent settings, and has no install hook. It does not request elevated privileges beyond reading files in the workspace and parent directory.