ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Sideload Avatar Generator

v1.0.2

Generate 3D avatars (VRM/GLB/MML) from text or images via Sideload.gg, paying $2 USDC per generation using any x402 wallet on Base.

2· 719·0 current·0 all-time
by@directivecreator
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description, required binary (node), packaged scripts, and network endpoints (sideload.gg) are consistent: the skill submits prompts/images, accepts an x402 payment token, polls for a job, and downloads results. No unrelated cloud credentials or binaries are requested.
Instruction Scope
Runtime instructions and included scripts only reference the Sideload API and result URLs. They read a local image file if you supply a path (and will base64-embed it into the request) and write downloaded outputs to an output directory. This is expected for an uploader/downloader, but it means any local file path you pass will be transmitted to the remote service.
Install Mechanism
No remote install or arbitrary download is performed by the skill itself (it's instruction/code included in the bundle). It relies only on Node.js and npm (explicit npm install recommended). There are no suspicious external installers or obscure download URLs in the manifest.
!
Credentials
No environment variables or long-lived credentials are required. However, the tool expects an x402 payment token passed as a command-line argument (--x402-token). Passing secrets via CLI exposes them to other local users via process listings and may be recorded in shell history; additionally, uploading a local image path will transmit that file to sideload.gg (possible leakage of sensitive files if misused).
Persistence & Privilege
The skill does not request persistent/always-on privileges, does not alter other skills or system-wide settings, and does not persist credentials. default autonomous invocation settings are unchanged.
Assessment
This package appears to implement exactly what it claims — a Node.js CLI that posts prompts/images to sideload.gg and pays via an x402 token — but take these precautions before running it: 1) Treat the x402 token as a secret. Avoid passing it on the command line if others share the machine or if you care about it appearing in process listings or shell history; prefer a safer mechanism (stdin, ephemeral file, or an environment variable in a secure session) if possible. 2) Only upload images you intend to share: if you pass a local file path the script will base64-embed and send the file to the remote service (do not point it at sensitive files). 3) Verify the service domains (sideload.gg, aimml.sideload.gg, aimml.onrender.com) and, if concerned, inspect the included scripts (generate.js/status.js) yourself before running. 4) Ensure you have Node.js 18+ (the scripts use global fetch). 5) If you need higher assurance, confirm the upstream repository and release provenance (package.json points to a GitHub repo but the skill's homepage is missing in registry metadata).

Like a lobster shell, security has layers — review code before you run it.

latestvk97a634ekrtfyda9ww9jq0889s815mnr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎭 Clawdis
Binsnode

Comments