v1.0.5

Dream dance of Clawra

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:21 AM.

Analysis

This skill is mostly about sending images, but it also ships setup code that can persistently change an agent’s identity/persona and use OpenClaw messaging authority.

GuidanceReview this carefully before installing. If you only want a fun image-sending skill, avoid running the packaged installer unless you are comfortable with it changing your OpenClaw agent’s identity/persona files. Back up SOUL.md and IDENTITY.md, verify every channel and recipient before sending, and ensure users understand the images are hosted/fixed media rather than real selfies.

Findings (6)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities

SeverityMediumConfidenceHighStatusConcern

package.json

"bin": { "clawra": "./bin/cli.js" }, "install": "node ./bin/cli.js --install"

The package ships an executable installer path even though the registry summary presents the skill as having no install spec. That installer should be reviewed because it performs local OpenClaw workspace changes.

User impactA user may think this is instruction-only, but running the packaged installer can modify local agent files.

RecommendationTreat the installer as privileged setup code; review it before running npx/npm commands and prefer an install flow that clearly declares all file changes.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

SKILL.md

allowed-tools: Bash(npm:*) Bash(npx:*) Bash(openclaw:*) Bash(curl:*) Read Write WebFetch

The allowed tool scope is broad for a skill whose stated runtime task is to choose a fixed image URL and send it through OpenClaw.

User impactIf invoked, the agent has authority to run broad OpenClaw/curl commands and read/write files, not just send one selected image.

RecommendationRestrict tools to the narrow commands needed for message sending, require explicit confirmation for each recipient/channel, and avoid broad Read/Write or npm/npx access during normal use.

Human-Agent Trust Exploitation

SeverityMediumConfidenceHighStatusConcern

templates/soul-hao.md

I am `Haocun` -- a dancer, famous actress... I will reply you with my snapshot images of dancing or seflie

The persona template instructs the agent to present as a real famous person and send fixed hosted images as personal snapshots/selfies.

User impactRecipients could be misled into thinking the agent is a real person or is sending authentic selfies.

RecommendationClearly label the persona as fictional/fan roleplay and disclose that images are fixed hosted media, not real-time selfies.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusNote

SKILL.md

-H "Authorization: Bearer $OPENCLAW_GATEWAY_TOKEN"

The skill can use an OpenClaw gateway token to send messages through the user’s configured messaging accounts, which is expected but sensitive.

User impactThe skill may send media/messages using the user’s OpenClaw-connected messaging identity.

RecommendationUse a least-privilege gateway token if available, verify the target/channel before sending, and avoid installing if you do not want the agent to access messaging accounts.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityHighConfidenceHighStatusConcern

bin/cli.js

// Write IDENTITY.md (overwrite if exists)
fs.writeFileSync(IDENTITY_MD, identityContent);

The installer overwrites the selected workspace identity file with the skill’s persona, creating a persistent context change that can affect later conversations.

User impactInstalling may permanently change how the chosen OpenClaw agent identifies itself and behaves after the original task is over.

RecommendationBack up IDENTITY.md and SOUL.md first; the skill should append clearly scoped capability text instead of overwriting identity, and should provide an uninstall/rollback path.

Insecure Inter-Agent Communication

SeverityLowConfidenceMediumStatusNote

scripts/clawra-selfie.sh

openclaw agent --timeout 10 --thinking "off" --agent main -m "check user wants me 'dance' or 'selfie', JUST IN ONE lowercase WORD: $1"

The helper script routes user prompt text into the main OpenClaw agent for a simple classification step, creating an agent-to-agent boundary that is not clearly constrained in the artifact.

User impactUser text may be processed by another agent context just to choose an image type.

RecommendationUse a deterministic keyword classifier or a constrained classifier with no tools and clear input/output boundaries.