Claw Xiaoai
PassAudited by ClawScan on May 1, 2026.
Overview
This skill is a coherent image-generation companion that uses a ModelScope API key and stores limited local state, both of which users should understand before installing.
This skill appears purpose-aligned and not malicious. Before installing, understand that it needs a ModelScope API key, sends image prompts to ModelScope, writes generated images locally, and stores limited local state for continuity. Use a dedicated API key and avoid including sensitive information in selfie prompts.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing and using the skill may consume or expose usage on the user's ModelScope account, though the code does not show credential logging or unrelated credential access.
The skill reads a ModelScope API key from environment variables or the OpenClaw config so it can call the image-generation provider.
const apiKey = process.env.MODELSCOPE_API_KEY || process.env.MODELSCOPE_TOKEN || readApiKeyFromOpenClawConfig();
Use a dedicated ModelScope key if possible, keep it in the OpenClaw skill API-key field or environment storage, and rotate it if you uninstall or no longer trust the skill.
Text used to create the selfie image is transmitted to ModelScope, so sensitive details included in prompts may leave the local device.
The generated image prompt is sent to the external ModelScope API, which is expected for this image-generation skill.
fetchJson(`${baseUrl}v1/images/generations`, timeoutMs, { method: 'POST', headers: { ...commonHeaders, 'X-ModelScope-Async-Mode': 'true' }, body: JSON.stringify({ model, prompt }) })Avoid putting private or confidential information into selfie prompts, and review ModelScope's data handling terms if that matters for your use case.
A previous selfie request can be retained locally and reused to shape later prompts, which is helpful for continuity but may preserve sensitive prompt text.
The prompt builder saves local continuity state, including the last request, scene, outfit, pose, and camera angle.
const STATE_PATH = resolve(process.env.HOME || '/root', '.openclaw', 'claw-xiaoai-state.json'); ... lastRequest:request
Do not include sensitive information in requests if you do not want it stored locally; use the script's `--no-save` option or delete `~/.openclaw/claw-xiaoai-state.json` to clear the state.
When a selfie request is handled successfully, the agent may send an image file directly rather than only describing it.
The skill instructs the agent to use a messaging tool to return the generated local image file, which is aligned with the selfie-generation purpose.
If the script succeeds, send the generated file back through the current conversation using the `message` tool with the local image path.
Use the skill only when you are comfortable with the agent generating and sending image files in response to photo/selfie requests.