v1.0.1

Generate product photos for ecommerce

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 6:01 AM.

Analysis

This skill is purpose-aligned for ProductAI photo generation, but it requires a ProductAI API key and sends image URLs/prompts to ProductAI.

GuidanceInstall this if you intend to use ProductAI.photo and are comfortable sharing product image URLs/prompts with that service. Handle the API key carefully, avoid pasting it into ordinary chat when possible, and check token costs before running generation, upscaling, or batch jobs.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

SKILL.md

Tokens are deducted when each operation **starts** (not on completion).

The skill invokes paid/token-metered ProductAI operations. The cost model is disclosed and aligned with the purpose, but users should notice it before running generation or upscaling.

User impactGenerating or upscaling images can consume ProductAI credits even if the final result is not used.

RecommendationConfirm the model and token cost before running jobs, especially batch jobs or high-cost upscaling.

Unexpected Code Execution

SeverityInfoConfidenceHighStatusNote

SKILL.md

The integration scripts require Python 3.7+ with these dependencies: ... pip install requests pillow

The skill relies on local Python scripts and dependencies. This is disclosed and central to the integration rather than hidden or unrelated code execution.

User impactUsing the skill means running local Python helper scripts in the user's environment.

RecommendationRun the scripts from the expected skill directory, keep dependencies updated, and use an isolated Python environment if desired.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

INTEGRATION-QUESTIONS.md

api_key = user_message  # e.g., "sk_prod_abc123..." ... config_path = Path.home() / '.openclaw' / 'workspace' / 'productai' / 'config.json' ... config_path.chmod(0o600)

The integration can receive a ProductAI API key through the agent conversation and persist it locally. This is purpose-aligned, but it places a paid-service credential in agent-handled context.

User impactAnyone who obtains the API key could use the user's ProductAI account or consume tokens.

RecommendationPrefer the interactive setup script or a secure secret-entry mechanism, avoid pasting real keys into ordinary chat when possible, and rotate the key if it is exposed.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityLowConfidenceHighStatusNote

scripts/productai_client.py

payload = {"model": model, "image_url": image_url, "prompt": prompt} ... self.session.post(f"{self.api_endpoint}/api/generate", json=payload, timeout=self.DEFAULT_TIMEOUT)

The skill sends image URLs and prompts to the ProductAI API provider, which is necessary for the advertised photo-generation workflow.

User impactProduct image URLs, creative prompts, and related job data are shared with ProductAI for processing.

RecommendationUse only images and prompts that are acceptable to share with ProductAI, and review the provider's privacy and retention terms for confidential product launches or client work.