Picwish Skills
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: picwish-skills Version: 1.0.7 The skill bundle provides a well-structured integration for PicWish image processing APIs. It demonstrates high security awareness by implementing a robust path validation function in `scripts/run_task.mjs` that explicitly blacklists sensitive directories (e.g., .ssh, .aws, .gnupg) and restricts file access to specific image extensions. While the script can execute a local helper (`oc-workspace.mjs`), it includes safeguards to ensure the script resides within the user's home directory and uses `fs.realpathSync` to prevent symlink-based path traversal. The instructions in `SKILL.md` and the dedicated `SECURITY.md` are defensive, explicitly directing the AI agent to ignore prompt injection attempts and protect user credentials.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or malformed base64 image request could overwrite or delete local files accessible to the OpenClaw process.
A user-controlled image_ext value is embedded directly into a filesystem path for base64 uploads, and the resulting file is later read and unlinked. Path separators or traversal segments in image_ext could cause writes/deletes outside the intended temp file path.
const tmpPath = path.join(tmpDir, `openclaw_input_${Date.now()}.${ext || 'png'}`);
fs.writeFileSync(tmpPath, Buffer.from(base64Data, 'base64'));
...
const ext = input.image_ext || 'png';Validate image_ext against a strict extension allowlist, reject path separators, use a secure temporary directory/file API, and ensure cleanup only removes files created inside that directory.
If PICWISH_BASE_URL is misconfigured or maliciously set, your PicWish API key and uploaded images could be sent to an unintended server.
The API base URL can be overridden by environment variable, and the same API key header is sent to the resulting URL. The code does not restrict the override to PicWish domains or enforce HTTPS.
const override = process.env.PICWISH_BASE_URL?.trim();
if (override) return override.replace(/\/+$/, '');
...
headers: { 'X-API-KEY': apiKey },Do not set PICWISH_BASE_URL unless you fully trust it; the skill should enforce HTTPS and restrict overrides to approved PicWish endpoints or clearly mark this as a sensitive developer-only option.
If you already have a modified or untrusted oc-workspace.mjs helper, this skill may invoke it while routing outputs.
The skill can run an existing OpenClaw workspace helper script. The path is checked and symlink-contained under the OpenClaw home, so this appears purpose-aligned but still means local code may execute.
execFileSync('node', [realScript, 'route-output', '--skill', skillName, '--name', 'tmp', '--ext', 'tmp'], { encoding: 'utf8', timeout: 5000 })Inspect ~/.openclaw/workspace/scripts/oc-workspace.mjs before using the skill, and keep that helper under your control.
Anyone who can see the conversation or copied result URL may be able to access the processed image until the link expires.
The skill intentionally exposes signed result URLs containing access tokens in the agent response. This is useful for downloading results but sensitive if shared.
Always copy the **complete** `result_url` verbatim from script output — never strip query parameters (they contain required auth tokens)
Prefer local saved paths for sharing, avoid posting result URLs publicly, and treat result links as temporary secrets.
It is harder to verify the publisher, review history, or compare the uploaded package to an upstream source.
The registry metadata does not provide a source repository or homepage, limiting provenance review even though the included package has no dependencies.
Source: unknown Homepage: none
Install only if you trust the publisher/package, and prefer versions with a public source repository and consistent metadata.