Back to skill
Skillv1.0.2
ClawScan security
Cat Selfie · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 8, 2026, 11:25 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is coherent with its stated purpose (generating cat selfies via Volcengine/doubao model); requested credentials and behavior align with that purpose, though the registry metadata omits the env vars the SKILL.md asks for and the skill invokes an external image-generation script you should verify before use.
- Guidance
- This skill appears to do what it says: it picks a scene and runs an existing Volcengine image-generation script to create images. Before installing or enabling it: 1) Confirm you intend to provide a Volcengine API key (ARK_API_KEY) and that it will be stored in ~/.openclaw/openclaw.json as instructed. 2) Inspect the volcengine-image-generate skill (especially scripts/image_generate.py) — the JS calls that Python script, so any network calls or credential use happen there. 3) Only install/use if you trust the source of the volcengine-image-generate skill; if you don't, avoid providing secrets. 4) If you want metadata to reflect reality, ask the publisher to update registry metadata to declare required env vars. Overall: functionally coherent, but the dependency on an external skill/script is the primary place to audit for safety.
Review Dimensions
- Purpose & Capability
- okThe name/description claim to generate images with the doubao-seedream model. The code calls an external Volcengine image-generation script and the SKILL.md asks for ARK_API_KEY and MODEL_IMAGE_NAME — all consistent with an image-generation skill. Note: the registry metadata lists no required env vars while SKILL.md instructs you to set ARK_API_KEY and MODEL_IMAGE_NAME; this metadata mismatch is inconsistent but does not contradict the skill's purpose.
- Instruction Scope
- noteRuntime instructions are scoped to reading local scenes config, invoking the volcengine-image-generate script, and writing images to ~/.openclaw/workspace/images. The script uses child_process.execSync to run a Python generator located in another skill's path (../../volcengine-image-generate/scripts/image_generate.py). Calling that external script is expected for this purpose, but it means the effective behavior depends on that other skill's code.
- Install Mechanism
- okNo install spec (instruction-only with included JS/PATH files). Nothing is downloaded or extracted during install by this skill itself, so installation risk from this package is low.
- Credentials
- noteSKILL.md requires ARK_API_KEY (Volcengine API key) and MODEL_IMAGE_NAME which are proportionate to contacting an image-generation API. However, the package/registry metadata lists no required env vars — an inconsistency you should verify before installing (the skill expects credentials in ~/.openclaw/openclaw.json).
- Persistence & Privilege
- okalways is false and the skill does not request to persist or modify other skills or system-wide settings. It can be invoked autonomously by agents (platform default), which is normal; no elevated privileges are requested.