Turn pet photos into cinematic character posters.
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: pet-movie-poster Version: 1.0.3 The skill is a legitimate tool designed to transform pet photos into movie posters using the Mew.design API. It handles sensitive data, such as user-provided API keys and images, with explicit instructions in `SKILL.md` to validate keys and obtain user consent before uploading local files to third-party hosts. The API interactions via `curl` are directed to the official `api.mew.design` endpoints, and no evidence of malicious exfiltration, persistence, or harmful prompt injection was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A real embedded key could let others spend credits or access the associated provider account, and users may be unclear whose key is being used.
The static scan reports this line in SKILL.md as an exposed secret literal. While an x-api-key header is expected for Mew API calls, a hardcoded API key in a public skill instruction is not needed and creates credential exposure risk.
-H "x-api-key: [REDACTED]" \
Remove any real API key from the skill, use a placeholder such as YOUR_MEW_API_KEY, and declare the required credential in metadata or a proper secret-handling path.
The agent will receive an API key that may spend credits or access the user’s mew.design account capabilities.
The skill explicitly requires the user’s mew.design API key to call the provider APIs. This is purpose-aligned, but it is sensitive account authority and the registry metadata lists no primary credential.
Collect the user's mew.design API key
Only provide a key you are comfortable using for this task, monitor provider usage, and revoke or rotate the key if it is exposed.
Your pet image, and possibly associated poster text, may be processed by external services outside the local agent.
The workflow may send pet images to external APIs or a temporary file host. The instruction does disclose this and requires user consent before the fallback upload.
you can temporarily upload the image to a third-party file host to obtain a URL, but this means the image will be sent to an external service, and ask whether they accept that privacy tradeoff before doing it
Use non-sensitive images, prefer a URL you control, and only approve temporary upload if you accept the privacy tradeoff.