ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Clawdy Selfie

v1.0.1

Generate a Clawdy selfie with the installed local helper script and the configured FAL_KEY.

0· 106·1 current·1 all-time
by@x-rayluan

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for x-rayluan/clawdy-selfie.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Clawdy Selfie" (x-rayluan/clawdy-selfie) from ClawHub.
Skill page: https://clawhub.ai/x-rayluan/clawdy-selfie
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install clawdy-selfie

ClawHub CLI

Package manager switcher

npx clawhub@latest install clawdy-selfie
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The declared purpose (generate a Clawdy selfie using a local helper and FAL_KEY) is plausible for the included scripts, but the metadata is incomplete: the skill does not declare required environment variables (FAL_KEY is used; SEEDANCE_API_KEY is required for video), nor does the registry list required binaries that the scripts expect (jq, python3, curl, openclaw CLI). The video script also requires access to an external Seedance API (default base URL: api.outai.top) which is not mentioned in the SKILL.md. These undeclared requirements are disproportionate to the simple description.
!
Instruction Scope
SKILL.md instructs the agent to run bundled helper scripts and use a bundled reference image, but the repository manifest does not include the referenced assets/clawdy.png. The video script will upload the reference image to public hosting services (file.io, 0x0.st) or use a provided public URL, and then submit it to a third-party video API—behavior not described in SKILL.md. The scripts also log and will send files/messages via the openclaw CLI (i.e., transmit generated media), and the SKILL.md does not disclose these network/file-hosting actions.
Install Mechanism
There is no install spec (instruction-only), so nothing is automatically downloaded/installed by the platform. However the included scripts perform network operations and spawn local commands (python3, curl, jq, openclaw), and will download/upload content at runtime. Lack of an install step lowers installation risk but does not eliminate runtime network and execution risks.
!
Credentials
Registry metadata declares no required environment variables, yet the scripts require at least FAL_KEY (image generation) and SEEDANCE_API_KEY (video generation). The TypeScript also references OPENCLAW_GATEWAY_URL and OPENCLAW_GATEWAY_TOKEN as optional env vars. Requiring these secrets without declaring them in the skill manifest is an incoherence and a security/privacy risk (these keys would be provided by the user but the skill does not advertise or justify them).
Persistence & Privilege
The skill is not marked always:true, does not request persistent platform privileges, and does not modify other skills or global agent configuration. It runs only when invoked.
What to consider before installing
Do not install or run this skill blindly. Specific issues to consider before using it: (1) The scripts expect a bundled reference image at assets/clawdy.png, but the manifest does not include that file — ask the author to include it or provide one and verify it is the intended image. (2) The skill uses secrets not declared in the registry: FAL_KEY (required) and SEEDANCE_API_KEY (for video); supplying these gives the skill access to external services — only provide keys you trust and consider using scoped/test keys. (3) The video helper uploads the reference image to public hosting services (file.io, 0x0.st) and then sends it to a third-party API (default base API domain is api.outai.top) — this publicly exposes the reference image and is a privacy concern; verify and trust the remote endpoint before running. (4) The scripts call local tools (jq, python3, curl, openclaw CLI); ensure these binaries are present and that you understand what the openclaw CLI will do on your system. (5) If you need to proceed, run the scripts in an isolated environment (container or VM), inspect the reference image and all network endpoints first, and prefer providing only minimal, revocable API credentials. Finally, request that the skill author update the SKILL.md and registry metadata to list required env vars, binaries, and to disclose the public uploads and external API endpoints — the missing declarations are the main coherence/security problem.
scripts/clawdy-selfie.ts:99
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dq7qn1f3ryj4ec15avx6sdx85fhxg
106downloads
0stars
2versions
Updated 3d ago
v1.0.1
MIT-0
@x-rayluan
latest
Download

Clawdy Selfie

Use this skill only when the user asks Clawdy for a selfie, photo, mirror pic, outfit shot, or location selfie.

Rules:

  • Generate/send a real image when possible.
  • Keep Clawdy clearly male-coded.
  • ALL Clawdy images must use the same single male reference image.
  • Never switch to text-to-image fallback for Clawdy unless Ray explicitly asks for it.
  • If reference-based generation fails, report the exact API/tool error. Do not invent explanations like quota/balance unless the API explicitly says that.

Execution:

  • Run the local helper script in this skill's scripts folder.
  • Use the configured FAL_KEY env.
  • Use the bundled Clawdy reference image in this skill's assets folder.

Preferred prompt style:

  • mirror selfie for outfit/fashion/full-body requests
  • direct selfie for close-up/location/boyfriend vibe requests

Default visual baseline:

  • handsome Korean-American male
  • masculine jawline
  • athletic build
  • boyfriend vibe
  • tasteful, not explicit

Comments

Loading comments...