Smart Meme Generator
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: smart-meme-generator Version: 1.1.0 The skill is classified as suspicious due to the presence of hardcoded credentials (`davememebot`, `DaveMakes3Memes!`) in `scripts/generate_meme.py`. While these credentials are used for the stated purpose of interacting with the imgflip API and are mentioned in `SKILL.md` as the 'free imgflip account' that ships with the skill, hardcoding credentials is a significant security vulnerability. There is no evidence of intentional malicious activity such as data exfiltration beyond the imgflip API or unauthorized system access.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Any captions used to generate a meme leave the local environment and are processed by Imgflip; the resulting image URL is intended to be shareable.
The script submits meme template data and user/agent-generated captions to Imgflip to create a hosted image URL.
"https://api.imgflip.com/caption_image"
Avoid putting private, confidential, or sensitive information in meme captions, and make sure users understand that image generation uses an external service.
Generated memes may be associated with a shared Imgflip account, and the embedded credential can be seen and reused by anyone with the artifact.
If the user does not set their own Imgflip credentials, the script uses a bundled shared account password for API calls.
username = os.environ.get("IMGFLIP_USER", "davememebot")
password = os.environ.get("IMGFLIP_PASS", "DaveMakes3Memes!")Use your own IMGFLIP_USER and IMGFLIP_PASS for predictable account ownership, and maintainers should avoid shipping shared hardcoded passwords.