Mixtiles Monthly
PendingStatic analysis audit pending.
Overview
No static analysis result has been recorded yet. Pattern checks will appear here once the artifact has been analyzed.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Photos outside the intended monthly period could be downloaded, curated, uploaded, and included in the cart.
The script only applies a lower-bound date and has no end date, even though SKILL.md describes collecting photos for last month. A run can therefore include photos after the intended month.
wacli messages search "*" --chat "$GROUP_JID" --type image --after "$AFTER_DATE" --limit 100 --json
Add an explicit before/end date for the last day of the target month and show the candidate photo list before uploading or sending.
Private family images may leave the user’s device and WhatsApp group and be stored or accessible through third-party services.
The workflow sends selected private family photos from WhatsApp to an external provider, but the artifacts do not describe retention, visibility, consent, or deletion controls.
This uploads each photo to Cloudinary and outputs a single Mixtiles cart URL with all photos.
Require user approval of selected photos before upload, document where photos are sent and retained, and provide cleanup or opt-out guidance.
If the external mixtiles-it script is missing, modified, or unsafe, this skill may process and upload private photos through unreviewed code.
The skill dynamically finds and executes code from another installed skill that is not included in this review and is not declared in the install requirements.
MIXTILES_CART_SCRIPT="$(find ~/.openclaw/workspace/skills/mixtiles-it/scripts -name 'mixtiles-cart.py')" ... python3 "$MIXTILES_CART_SCRIPT"
Declare and pin the dependency, include the helper script in the reviewed artifacts, or ask the user to confirm the exact script path before running it.
The skill can act through the user’s WhatsApp account for the configured group or recipient.
Using wacli implies use of the user’s authenticated WhatsApp account to read group media and send a message. This is aligned with the skill purpose, but it is sensitive account authority.
wacli send text --to "$SEND_TO" --message "Your monthly tiles are ready!... $CART_URL"
Use a dedicated or clearly understood WhatsApp session, verify MIXTILES_GROUP_JID and MIXTILES_SEND_TO, and require confirmation before sending.
A scheduled run could collect, upload, and send photos automatically each month.
The skill contemplates scheduled monthly execution. The provided artifacts do not install persistence, but a configured cron trigger would run the workflow without a fresh manual prompt.
Use when it's time for the monthly Mixtiles order ... or on the monthly cron trigger.
If scheduled, add a human approval checkpoint before upload and before WhatsApp sending.