Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Digital Product Builder
v1.0.3Build and launch zero-cost digital products on Gumroad, itch.io, and DriveThruRPG. Use when creating cover images, asset sheets, or product listings. Generat...
⭐ 0· 68·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The claimed capabilities (cover images with Pillow, copy with Groq) are coherent with the SKILL.md content. Using Pillow and writing zip bundles is reasonable for a digital product builder. The SKILL.md also references orchestration with the 'Claude main session' which is plausible but not represented in metadata.
Instruction Scope
Runtime instructions read local font directories and write image/zip output (expected for image and bundle generation). However, the doc instructs storing GROQ_API_KEY at a specific path (~/.openclaw/workspace/dashboard/.env) and shows code that reads process.env.GROQ_API_KEY; the skill manifest lists no required env vars. Instructions therefore access/expect credential configuration outside the declared manifest, which is an incoherence and a potential surprise for users.
Install Mechanism
This is an instruction-only skill with no install spec or code files. The Quick Start suggests installing Pillow via pip if missing — a low-risk, expected developer dependency. No archive downloads or external installers are present.
Credentials
The SKILL.md requires a Groq API key (GROQ_API_KEY) but the registry metadata declares no required environment variables or primary credential. It also directs storing the key in an OpenClaw-specific workspace path (~/.openclaw/...), which could cause secrets to be placed in a shared or agent-managed location unexpectedly. Aside from font directories and output file paths (reasonable for the task), there are no other credentials requested.
Persistence & Privilege
always:false and no install spec means the skill does not demand permanent inclusion or write system-wide configuration. It does not request modification of other skills or system settings in the provided instructions.
What to consider before installing
The skill appears to do what it says (local image generation with Pillow and copy via Groq), but there are two things to check before installing/using it: (1) the SKILL.md expects a Groq API key (GROQ_API_KEY) but the skill metadata does not declare any required env vars — ask the publisher to explicitly list required credentials and why they are needed; (2) the docs tell you to store the Groq key in ~/.openclaw/workspace/dashboard/.env, which is an implementation-specific path (possibly shared with the agent). Do not place secrets in locations you don't control or that other skills/processes can read. Prefer storing API keys in a secure location (your system env, a secrets manager, or a clearly documented per-skill config file) and verify the file permissions. Other practical checks: run the provided Pillow scripts locally in a sandbox, verify network calls go only to api.groq.com, and request an updated manifest that lists GROQ_API_KEY (or documents an alternative secure configuration). If you require higher assurance, ask the author for a signed source or a version with explicit env declarations and no references to shared agent workspaces.Like a lobster shell, security has layers — review code before you run it.
latestvk97cqn554jz1egr0f1h8maqw3983h50d
License
MIT-0
Free to use, modify, and redistribute. No attribution required.