Back to skill
Skillv3.2.1
ClawScan security
Perstudio Image and Video Generation · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 25, 2026, 9:03 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements, instructions, and install steps align with its stated purpose (image/video generation) and nothing requested appears disproportionate to that purpose.
- Guidance
- This skill appears internally consistent: it needs only a perstudio API key and an npm client plugin and restricts uploads to a small set of directories. Before installing, verify the npm package and GitHub repository match (to avoid typosquatting), review the source code if you can, and confirm the package maintainers/publishing history. Treat PERSTUDIO_API_KEY like any API secret: use a scoped or revocable key if possible, rotate it regularly, and avoid uploading sensitive personal or proprietary images since assets are sent to an external service (perstudio.ai) and generation incurs costs.
Review Dimensions
- Purpose & Capability
- okName/description match the declared requirements: a single PERSTUDIO_API_KEY and an npm package (perstudio-openclaw) are reasonable for a third-party image/video generation integration. The declared config path (plugins.entries.perstudio.config.apiKey) is consistent with storing the API key.
- Instruction Scope
- okSKILL.md instructions focus on generation actions and uploading assets. File-access rules are explicit (allowlist for ~/Pictures, ~/Downloads, ~/Desktop, ~/.openclaw/workspace, and temp) and the doc states symlink resolution is performed. Instructions do not ask the agent to read unrelated system files or additional environment variables.
- Install Mechanism
- noteInstall is via a named npm package (perstudio-openclaw) which is an expected mechanism for a Node-based plugin. NPM installs carry the usual supply-chain risk (typosquatting, malicious package updates), but the mechanism itself is coherent with the skill's purpose. The SKILL.md also points to a GitHub repo for review.
- Credentials
- okOnly one credential (PERSTUDIO_API_KEY) is required and it is identified as the primary credential; this is proportionate for a hosted generation service. No other unrelated secrets or config paths are requested.
- Persistence & Privilege
- okThe skill is not always-enabled, and model invocation is allowed (the platform default). The skill does not request elevated or cross-skill configuration changes beyond storing its own API key in the declared plugin config path.