removebg-api
PassAudited by ClawScan on May 1, 2026.
Overview
The skill appears purpose-aligned: it sends a user-selected workspace image to remove.bg with an API key and writes the result to a scoped output folder.
Before installing, make sure you are comfortable sending selected images to remove.bg and spending account quota. Store REMOVE_BG_API_KEY as a secret, and use an output path under outputs/removebg-api/ because the code enforces that scope.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A run can consume remove.bg credits or paid quota, and the key should be treated as a secret.
The tool uses an environment API key to authorize requests to remove.bg; this matches the stated API-key integration but gives the skill access to the user's remove.bg account/quota.
key = os.getenv("REMOVE_BG_API_KEY") ... req.add_header("X-Api-Key", key)Provide the key through OpenClaw config or another secret mechanism, avoid exposing it in chat/logs, and rotate it if it may have been disclosed.
Images processed with this skill leave the local workspace and are handled by a third-party service.
The selected image bytes are sent to the remove.bg cloud API for processing; this is disclosed by the skill's cloud-processing purpose.
API_URL = "https://api.remove.bg/v1.0/removebg" ... body.extend(file_data) ... request.urlopen(req, timeout=90)
Use it only for images you are comfortable sending to remove.bg, and review remove.bg's privacy and retention terms for sensitive content.
Users have less external context for verifying the publisher or project origin.
The registry metadata does not provide an upstream source or homepage, which limits provenance checks even though the included code is visible and no remote installer is present.
Source: unknown; Homepage: none
Review the included script and install only from a registry or publisher you trust.