ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Clawra Selfie

v1.1.3

Generate Clawra-style selfie images with a Qwen-first image backend (with optional Gemini and HF fallback) and send them to messaging channels via OpenClaw.

0· 154·0 current·0 all-time
by@nasplycc

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for nasplycc/nasplycc-clawra-selfie.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Clawra Selfie" (nasplycc/nasplycc-clawra-selfie) from ClawHub.
Skill page: https://clawhub.ai/nasplycc/nasplycc-clawra-selfie
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install nasplycc-clawra-selfie

ClawHub CLI

Package manager switcher

npx clawhub@latest install nasplycc-clawra-selfie
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's stated purpose (generate/send Clawra-style selfies) matches the code: it calls image backends (Qwen/Gemini/HF) and sends outputs via OpenClaw. However the registry metadata claims 'required env vars: none' and 'primary credential: none' while SKILL.md and scripts clearly require QWEN_API_KEY or HF_TOKEN (and optionally GEMINI_API_KEY). This mismatch between declared requirements and actual runtime needs is an incoherence the user should be aware of.
!
Instruction Scope
SKILL.md and scripts instruct reading/writing workspace files and reference explicit absolute paths under /home/Jaben/.openclaw/workspace-clawra-bot/... and OUTPUT_DIR defaults to /home/Jaben/.openclaw/... The TypeScript wrapper also calls an absolute script path (/home/Jaben/.openclaw/skills/clawra-selfie/scripts/clawra-selfie.sh). These hard-coded paths extend the skill's scope to a specific user's filesystem and may fail or unintentionally access other files on different systems. The script will also send network traffic to third‑party APIs (DashScope/Qwen, Hugging Face, Gemini) which is expected but requires provided API keys.
Install Mechanism
There is no registry install spec, but an included scripts/install.sh clones the GitHub repo (standard), and README suggests a curl|bash one-liner that downloads the installer. 'curl | bash' style install is convenient but risky; the included install.sh itself uses git clone which is lower risk. No obscure download URLs or IPs are used, but running remote install scripts without review is a common vector for supply-chain issues.
Credentials
Requested credentials (QWEN_API_KEY, HF_TOKEN, optional GEMINI_API_KEY) are appropriate for image-generation backends and proportional to the skill's function. The problem is that the skill metadata in the registry does not declare these env vars, causing a transparency gap. Also the script will inherit and pass process.env through to child processes (normal), so be mindful of token exposure in logs or stdout/stderr.
Persistence & Privilege
The skill does not request always:true and doesn't modify other skills' config. It writes generated images to a workspace directory and reads possible reference images from hard-coded paths. Those write/read actions are expected for this functionality, but the hard-coded /home/Jaben paths create a persistence/privilege mismatch for other users and could cause accidental reads/writes in unexpected locations.
What to consider before installing
Before installing or running this skill: 1) Review and set required API keys (QWEN_API_KEY or HF_TOKEN; GEMINI_API_KEY only if you enable Gemini). The registry metadata incorrectly lists no required env vars—trust the SKILL.md/scripts instead. 2) Inspect scripts before running any curl|bash installer; prefer cloning the GitHub repo with git and review install.sh. 3) Update the hard-coded paths (/home/Jaben/...) in scripts/ts to match your system (or install under that exact path) to avoid accidental access to other directories or failures. 4) Store API tokens with least privilege and separate tokens for demo/testing; avoid reusing high-privilege keys. 5) Consider running the skill in an isolated account/container and keep private reference images out of public repos. 6) If you plan to reuse the included TypeScript wrapper, change the absolute script path to a relative or configurable location so it won't execute unintended files. If these issues are addressed (metadata fixed, paths parameterized, install guidance removed or made safer), the skill's risk would be much lower.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b1246gj1pnwr6kf5jmenr7h83jntr
154downloads
0stars
5versions
Updated 1mo ago
v1.1.3
MIT-0
@nasplycc
latest
Download

Clawra Selfie

Generate Clawra-style selfies with a Qwen-first image backend (DashScope qwen-image-plus) and optional Gemini / Hugging Face fallback paths, then send the result to OpenClaw messaging channels (Telegram, Discord, WhatsApp, Slack, etc.).

Default current persona target:

  • Raya is an 18-year-old Chinese young woman
  • use a fixed face-anchor prompt for consistency
  • use a fixed negative-anchor prompt to reduce drift toward heavy glam, over-mature, over-filtered, overly childish, or structurally off-model looks

When to Use

  • User says "send a pic", "send me a pic", "send a photo", "send a selfie"
  • User says "send a pic of you...", "send a selfie of you..."
  • User asks "what are you doing?", "how are you doing?", "where are you?"
  • User describes a context: "send a pic wearing...", "send a pic at..."
  • User wants Clawra/Raya to appear in a specific outfit, location, or situation

Required Environment Variables

QWEN_API_KEY=your_dashscope_api_key          # primary backend (recommended)
HF_TOKEN=your_huggingface_token               # optional fallback
ENABLE_GEMINI=1                               # set to 1 to enable Gemini probe (optional)
GEMINI_API_KEY=your_google_gemini_api_key     # optional probe/fallback path
GEMINI_IMAGE_MODEL=gemini-2.5-flash-image     # optional override
QWEN_IMAGE_MODEL=qwen-image-plus              # optional override
HF_IMAGE_MODEL=black-forest-labs/FLUX.1-schnell
HF_API_BASE=https://router.huggingface.co/hf-inference/models

Token source:

https://huggingface.co/settings/tokens

Important Limitation

Even with Qwen-first routing, the current workflow is still prompt-first (soft identity anchoring), not true reference-image editing. Compared with paid image-edit backends:

  • easier to try quickly
  • but identity consistency is weaker
  • and most public models are still text-to-image, not guaranteed hard face lock

So this version should be treated as:

  • good for role-consistent selfie vibes
  • not guaranteed for exact same face every time

Official Face Mechanism

The workspace may store an official face reference under:

  • /home/Jaben/.openclaw/workspace-clawra-bot/references/raya-official-face-current.png
  • /home/Jaben/.openclaw/workspace-clawra-bot/references/raya-official-face-current.jpg
  • /home/Jaben/.openclaw/workspace-clawra-bot/references/raya-official-face-v1.png
  • /home/Jaben/.openclaw/workspace-clawra-bot/references/raya-official-face-v1.jpg

Behavior:

  • if a file exists, treat it as Raya's official face anchor
  • current Qwen/HF prompt-first workflow still treats this as a soft anchor, not hard face lock
  • when the backend is upgraded later to reference-image editing or local ComfyUI, reuse the same file path

Mirror mode

Best for outfit / mirror-area / half-body or full-body style. Does not require holding a phone by default.

Direct mode

Best for close-up selfie / current state / location vibe.

Primary Script

QWEN_API_KEY=your_dashscope_api_key \
/home/Jaben/.openclaw/skills/clawra-selfie/scripts/clawra-selfie.sh \
  "her desk late at night, still replying to messages" \
  "telegram" \
  "direct" \
  "Raya 的自拍 ✨"

Arguments:

  1. user_context — what she should be doing / wearing / where she is
  2. channel — target channel/provider name for OpenClaw send
  3. mode — optional: mirror, direct, or auto
  4. caption — optional text caption

Notes

  • Default preferred model is qwen-image-plus via DashScope
  • If Qwen is unavailable, the script can fall back to Gemini (optional) and then Hugging Face
  • If HF returns JSON/text instead of image bytes, surface the raw error clearly
  • This version is intentionally simpler and more robust than the earlier fal/Gemini-only attempts

Comments

Loading comments...