Clawy
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your image-provider API key may be used to generate images and could incur provider usage or billing.
The skill requires provider API credentials, which is expected for image generation but gives the helper script access to a paid or account-bound external service.
The bundled helper script needs at least one configured external image-edit provider credential at runtime
Use a dedicated or least-privileged API key where possible and review which provider key is configured before invoking generation.
Reference images and prompts you provide for generation may be processed by third-party image services.
The skill explicitly sends user-selected images and prompts to external image providers, which is purpose-aligned but still a privacy-relevant data flow.
when image generation/editing is invoked, the selected reference image(s) and prompt are sent to the chosen provider
Avoid using private or sensitive images unless you are comfortable with the chosen provider's handling of that data.
A missing default asset may be restored from an external website, so the generated avatar base can depend on that remote file.
If the default local image is missing, the helper downloads a replacement image from a remote site and writes it into the skill assets directory; this is disclosed and purpose-aligned but adds remote provenance dependency.
fallback_url = "https://www.8uddy.land/images/clawy.png"
If provenance matters, verify or pin the default mother image locally before use.
The helper may fail or behave differently depending on the local curl installation, and users may not see this dependency from the metadata alone.
The helper uses a local curl subprocess to call image APIs. This is aligned with the provider-integration purpose, but the required curl binary is not declared in the registry requirements.
subprocess.check_output(["curl", "-sS", "-X", "POST", url,
Ensure curl is available and review the helper script's provider calls if you plan to use the bundled script directly.