critical
suspicious.env_credential_access
- Location
- scripts/lib/client.mjs:14
- Finding
- Environment variable access combined with network send.
Picwish Skills
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.env_credential_access
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
ConcernHigh Confidence
ASI02: Tool Misuse and ExploitationWhat this means
A malicious or malformed base64 image request could overwrite or delete local files accessible to the OpenClaw process.
Why it was flagged
A user-controlled image_ext value is embedded directly into a filesystem path for base64 uploads, and the resulting file is later read and unlinked. Path separators or traversal segments in image_ext could cause writes/deletes outside the intended temp file path.
Skill content
const tmpPath = path.join(tmpDir, `openclaw_input_${Date.now()}.${ext || 'png'}`);
fs.writeFileSync(tmpPath, Buffer.from(base64Data, 'base64'));
...
const ext = input.image_ext || 'png';Recommendation
Validate image_ext against a strict extension allowlist, reject path separators, use a secure temporary directory/file API, and ensure cleanup only removes files created inside that directory.
ConcernHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
If PICWISH_BASE_URL is misconfigured or maliciously set, your PicWish API key and uploaded images could be sent to an unintended server.
Why it was flagged
The API base URL can be overridden by environment variable, and the same API key header is sent to the resulting URL. The code does not restrict the override to PicWish domains or enforce HTTPS.
Skill content
const override = process.env.PICWISH_BASE_URL?.trim();
if (override) return override.replace(/\/+$/, '');
...
headers: { 'X-API-KEY': apiKey },Recommendation
Do not set PICWISH_BASE_URL unless you fully trust it; the skill should enforce HTTPS and restrict overrides to approved PicWish endpoints or clearly mark this as a sensitive developer-only option.
NoteHigh Confidence
ASI05: Unexpected Code ExecutionWhat this means
If you already have a modified or untrusted oc-workspace.mjs helper, this skill may invoke it while routing outputs.
Why it was flagged
The skill can run an existing OpenClaw workspace helper script. The path is checked and symlink-contained under the OpenClaw home, so this appears purpose-aligned but still means local code may execute.
Skill content
execFileSync('node', [realScript, 'route-output', '--skill', skillName, '--name', 'tmp', '--ext', 'tmp'], { encoding: 'utf8', timeout: 5000 })Recommendation
Inspect ~/.openclaw/workspace/scripts/oc-workspace.mjs before using the skill, and keep that helper under your control.
NoteHigh Confidence
ASI07: Insecure Inter-Agent CommunicationWhat this means
Anyone who can see the conversation or copied result URL may be able to access the processed image until the link expires.
Why it was flagged
The skill intentionally exposes signed result URLs containing access tokens in the agent response. This is useful for downloading results but sensitive if shared.
Skill content
Always copy the **complete** `result_url` verbatim from script output — never strip query parameters (they contain required auth tokens)
Recommendation
Prefer local saved paths for sharing, avoid posting result URLs publicly, and treat result links as temporary secrets.
NoteMedium Confidence
ASI04: Agentic Supply Chain VulnerabilitiesWhat this means
It is harder to verify the publisher, review history, or compare the uploaded package to an upstream source.
Why it was flagged
The registry metadata does not provide a source repository or homepage, limiting provenance review even though the included package has no dependencies.
Skill content
Source: unknown Homepage: none
Recommendation
Install only if you trust the publisher/package, and prefer versions with a public source repository and consistent metadata.