Back to skill
Skillv1.0.0
ClawScan security
VVMAI Image Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 15, 2026, 2:44 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and required credentials are coherent with an image-generation integration for VVMAI; it requests only the VVMAI API key and base URL and performs expected network and file operations.
- Guidance
- This skill appears to do what it says: it will send your prompt and any input image to VVMAI's API and may download or save returned images to your home directory. Before installing, consider: (1) You're granting the skill an API key (VVMAI_API_KEY) so only install if you trust VVMAI and the key's permissions. Use a least-privilege or revocable key if possible. (2) The skill will download input image URLs and may retrieve URLs returned by the API — avoid passing untrusted internal URLs (SSRF risk). (3) The script writes files to ~/.openclaw/media or a custom dir; verify disk-write expectations. (4) Minor doc/code mismatches: the README/SKILL.md mention config files while the script reads env vars and the base URL has a default; these are not security issues but worth noting. If you need higher assurance, verify the VVMAI provider and rotate the API key after testing.
Review Dimensions
- Purpose & Capability
- okName/description, required binaries (python3), and required env vars (VVMAI_API_KEY, VVMAI_BASE_URL) all match the claimed purpose of calling VVMAI's Images API. The included script calls /images/generations and /images/edits as described. Minor note: SKILL.md states VVMAI_BASE_URL is required but the script falls back to a sensible default (https://api.vvmai.com/v1).
- Instruction Scope
- noteThe runtime instructions only invoke the bundled Python script; the script's behavior is limited to calling the VVMAI API, optionally downloading an input image URL, and saving output images to ~/.openclaw/* or a specified directory. It prints MEDIA:... lines as documented. Note: SKILL.md mentions configuration via .env or ~/.openclaw/openclaw.json, but the script reads environment variables only — the platform may supply env from those files, but the claim and implementation slightly differ.
- Install Mechanism
- okNo install spec is provided (instruction-only), and the included script is plain Python. No external downloads or package installs are performed by the skill itself, which is the lowest-risk install pattern.
- Credentials
- okOnly VVMAI_API_KEY (primary credential) and VVMAI_BASE_URL are required — both are directly needed to call the VVMAI API. No unrelated secrets or unrelated system config paths are requested. Minor inconsistency: SKILL.md marks VVMAI_BASE_URL as required while the script provides a default; this is benign but worth noting.
- Persistence & Privilege
- okThe skill does not request always:true and uses normal autonomous invocation defaults. It writes files only under the user's home (~/.openclaw/media or oss) or a user-specified directory and creates those directories if missing — this is expected for a media tool and does not modify other skills or global agent settings.