ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Agent Profile Images

Agent Profile Images for OpenClaw Control UI — upload custom avatars, generate themed AI profile images, preview before saving, and persist agent avatars acr...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 63 · 0 current installs · 0 all-time installs
by@maverick-software
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to add UI features (avatar upload, preview, generation) but bundles server/protocol snapshots that add gateway RPCs and schema changes. That can be legitimate for a full-feature feature implementation, but the snapshots also classify agents.avatar.* methods as ADMIN_SCOPE — making avatar upload/generation/removal admin-only. Elevating routine avatar operations to admin-level is unexpected and should be justified.
!
Instruction Scope
SKILL.md instructs adding gateway RPCs, session-utils fixes, and persistence via workspace IDENTITY.md. It also states OpenAI Images is the implemented provider but declares no provider credential handling. The pre-scan flagged a 'system-prompt-override' pattern in SKILL.md (prompt-injection signal). The instructions imply backend code changes rather than only client-side UI changes; that expands the trust and impact surface and is not confined to a simple UI plugin.
Install Mechanism
This is instruction-only with no install spec and no binaries to fetch, which minimizes install-time risk. The package contains source snapshots only, so it won't automatically download or execute remote code during install.
!
Credentials
SKILL.md mentions using OpenAI Images as the provider but requires no environment variables or primary credential. If the feature makes live calls to OpenAI (or any external provider), an API key or centralized platform credential would normally be needed. The lack of declared credentials is an inconsistency that could indicate missing documentation or an attempt to rely on platform-global secrets without explicit declaration.
Persistence & Privilege
The skill does not request always:true and has no install actions, but the included snapshots propose adding admin-scoped gateway methods and modifying session/gateway utilities. That represents a change with elevated privilege implications (gateway-level RPCs), so it should be reviewed before enabling on production systems despite not demanding persistent presence itself.
Scan Findings in Context
[system-prompt-override] unexpected: The prompt-injection detector flagged patterns consistent with attempts to override system prompts. The visible SKILL.md does not obviously contain an explicit system prompt override, so this may be a false positive or an obfuscated attempt; either way it increases risk and should be investigated before trusting the skill.
What to consider before installing
Before installing: (1) Verify the skill author and provenance — this package has no homepage and an unknown source. (2) Inspect the provided server/gateway snapshots yourself (or have a trusted engineer do so) — they propose adding admin-scoped RPCs and modifying session/gateway code. Confirm that avatar operations truly require admin scope and that method access controls are appropriate. (3) Confirm how image generation credentials are provided: the SKILL.md states OpenAI Images is used but declares no API key or env vars; ensure any provider keys are handled securely (centralized secrets store) and not implicitly assumed. (4) Treat the prompt-injection signal seriously — review SKILL.md and supplied files for any embedded instructions intended to influence model/system prompts or to exfiltrate data. (5) If you lack the capacity to review code, test the skill in an isolated dev/staging environment (not production) and restrict permissions for gateway changes until a full audit is done.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97cwr9247bq5rftp4gmcwrtq1832q2v

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

agent-profile-images

name: agent-profile-images
version: 1.0.0
author: Charles Sears
description: Adds agent profile image upload, AI generation, preview/keep-regenerate-cancel flow, and avatar persistence fixes to the OpenClaw Control UI.

What This Skill Adds

1. Agent Profile Image Card in Agents → Overview

Adds a dedicated Profile Image section to the Agents Overview panel with:

  • current avatar preview
  • upload button
  • remove button
  • theme selector
  • custom generation instructions
  • generate button
  • preview state messaging

2. Avatar Upload RPC

Adds agents.avatar.upload so the Control UI can upload a PNG/JPG/WEBP/GIF image and save it into the agent workspace.

3. AI Avatar Generation RPC

Adds agents.avatar.generate for themed image generation using OpenAI Images.

4. Preview / Keep / Regenerate / Cancel Loop

Generation does not auto-save. Instead:

  • Generate → preview only
  • Keep → saves generated image as the agent avatar
  • Regenerate → requests a new preview
  • Cancel → discards preview and preserves the previous avatar

5. Persistent Avatar Resolution

Fixes the gateway agent-list/session-utils path so avatar information from workspace IDENTITY.md is reflected correctly across Agents UI, chat UI, refreshes, and reloads.

6. Fresh Identity Reloads on Agents Tab

Fixes stale UI state by forcing the Agents tab to refresh identity data when entering the tab and after avatar-changing actions.

Backend Methods Added

MethodDescription
agents.avatar.uploadUpload and save a profile image into the agent workspace
agents.avatar.generateGenerate a themed avatar preview using OpenAI Images
agents.avatar.removeRemove the current stored avatar

Theme Presets Included

  • Professional
  • Sci-Fi
  • Cyberpunk
  • Fantasy
  • Space Opera
  • Creature Collector
  • Mascot
  • Noir

Storage Model

Saved avatars are written into the agent workspace under avatars/ and persisted via IDENTITY.md using:

- Avatar: avatars/profile.png

This reuses the existing Control UI avatar serving path (/avatar/:agentId) and keeps images portable with the agent workspace.

Files Included

The references/ folder contains the feature implementation snapshots for these files:

  • src/gateway/method-scopes.ts
  • src/gateway/protocol/index.ts
  • src/gateway/protocol/schema/agent.ts
  • src/gateway/protocol/schema/agents-models-skills.ts
  • src/gateway/protocol/schema/protocol-schemas.ts
  • src/gateway/protocol/schema/types.ts
  • src/gateway/server-methods-list.ts
  • src/gateway/server-methods/agent.ts
  • src/gateway/server-methods/agents.ts
  • src/gateway/session-utils.ts
  • ui/src/ui/app-render.ts
  • ui/src/ui/app-view-state.ts
  • ui/src/ui/app.ts
  • ui/src/ui/types.ts
  • ui/src/ui/views/agents-panels-overview.ts
  • ui/src/ui/views/agents.ts

Notes

  • This skill packages the source-level feature implementation.
  • A temporary live compiled-bundle hotfix was used during development to unblock testing, but that tactical dist patch is not part of this skill package.
  • OpenAI image generation is currently the implemented provider path in this package.
  • The full OpenClaw repo may contain unrelated build/runtime issues outside this feature; this skill is scoped only to agent profile image functionality.

Recommended Publish Changelog

Initial release: agent profile image upload, themed AI generation, preview/keep-regenerate-cancel loop, and refresh-state fixes.

Files

17 total
Select a file
Select a file to preview.

Comments

Loading comments…