Agent Profile Images
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If applied blindly, source snapshots could overwrite or alter core OpenClaw gateway/UI behavior beyond what the user expected.
The skill is presented as source snapshots rather than a pinned installer or minimal patch, so applying it requires provenance and diff review.
This skill packages the source-level feature implementation... The `references/` folder contains the feature implementation snapshots
Review the referenced files as diffs against your exact OpenClaw version and apply only the avatar-related changes you intend.
Avatar upload is expected, but weak validation in the implementation could allow oversized or invalid files to be submitted.
The upload RPC accepts user-supplied file metadata and image data; the visible schema does not itself bound MIME type, size, or image validity.
filename: NonEmptyString, contentType: NonEmptyString, data: NonEmptyString
Ensure the backend implementation validates file type, size, decoding, and storage path before enabling the upload RPC.
An operator with admin scope can change or remove stored agent avatars.
The avatar mutation methods are placed in the admin-only method group, meaning they require elevated operator authority.
"agents.avatar.upload", "agents.avatar.generate", "agents.avatar.remove"
Keep admin gateway credentials limited to trusted users and confirm avatar changes are user-initiated.
Custom avatar prompts or instructions may be processed by OpenAI according to that provider’s policies.
The feature uses an external image-generation provider, so generation themes/instructions may be sent outside the local OpenClaw environment.
Adds `agents.avatar.generate` for themed image generation using OpenAI Images.
Avoid putting secrets or sensitive private details in avatar generation instructions, and verify which OpenAI credentials/account will be used.