Skillv1.0.1

ClawScan security

Backup image to StarDots · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 10, 2026, 8:32 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, runtime instructions, and requested configuration align with its stated purpose (upload/list images to Stardots.io) and do not request unrelated credentials or hidden endpoints.
Guidance: This skill appears to do exactly what it says: read image files you point it at and upload them to Stardots.io using the configured API key/secret and space. Before installing, verify you trust stardots.io and the skill author (skill author/email are shown in skill.yaml). Be cautious about file paths you pass — the skill will attempt to read and upload any path matching an image extension, so avoid uploading sensitive files (or files renamed with image extensions). Use limited-scope API credentials if Stardots supports them, and confirm credential storage/policies in OpenClaw. If you need stronger assurance, review the included source or run in a sandboxed environment first.

Review Dimensions

Purpose & Capability: okName, description, skill.yaml permissions, config.schema.json, and source code consistently implement an image backup client for https://api.stardots.io. Requested config items (apiKey, apiSecret, space) are appropriate for the described API integration.
Instruction Scope: noteThe SKILL.md and code instruct the agent to read local files and upload them to Stardots. This is in-scope for a backup/upload skill, but the skill will read any file path the user supplies that matches the image-extension regex — a file with an image extension (even if it contains secrets) could be uploaded if the user or a prompt instructs it. The skill does not access other system files, env vars, or external endpoints beyond stardots.io.
Install Mechanism: okNo install spec that downloads arbitrary artifacts; packaged JS source and package.json are included in the skill bundle. There are no external download URLs or extract steps in the manifest. Dependencies are standard (axios, form-data).
Credentials: okRequested configuration is limited to Stardots credentials (apiKey, apiSecret) and a space name, which are proportional to the stated functionality. The skill requires filesystem read permission and network access to api.stardots.io, both declared in skill.yaml.
Persistence & Privilege: okThe skill is not marked always:true and uses the platform's normal autonomous invocation settings. It does not attempt to modify other skills or system-wide settings. It stores credentials via the skill config (declared secure in the manifest).