Drip director
PassAudited by ClawScan on May 1, 2026.
Overview
The skill appears purpose-aligned for guided fashion image generation, but users should notice that it uses local reference images, external Google/Nano Banana services, and a Google API key that are not reflected in the registry requirements.
Before installing, make sure you are comfortable setting a Google API key, potentially incurring provider usage, sending fashion/reference image data to external image and Gemini services, and allowing the skill to read recent OpenClaw inbound media paths. Use a restricted API key and review each confirmation step carefully.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installation may not clearly warn users that the skill expects command-line tools and a Google API key.
The skill declares runtime tools and an API key in SKILL.md even though the registry metadata lists no required binaries, env vars, or primary credential.
requires:\n bins:\n - curl\n - jq\n - uv\n env:\n - GOOGLE_API_KEY
Treat these dependencies as required before use, and prefer registry metadata that accurately declares them.
Provider requests may use the user's Google account quota, billing, or permissions.
The skill uses a Google API key for its image generation/critique workflow. This is purpose-aligned, but it is still delegated account access.
- `GOOGLE_API_KEY` environment variable set
Use a restricted API key with only the needed Gemini/image-generation permissions and monitor usage.
The skill may inspect recent OpenClaw inbound media filenames/paths to associate reference images with the current request.
The skill instructs the agent to run a local shell command to identify recent inbound media files. The command is narrow and purpose-aligned, but it is still local tool use.
ls -t1 ~/.openclaw/media/inbound/ | head -20
Use it only when you are comfortable with the skill accessing recent inbound media paths, and keep unrelated sensitive files out of that folder.
Local image paths and inferred image details may remain in the agent's session context while the workflow runs.
The skill keeps session state containing reference image paths and generated image paths. This is useful for the pipeline, but it may include sensitive local path information.
Maintain this state object throughout the entire session... reference_images: [] ... file_path: "" # full absolute path of generated image
Avoid using sensitive personal images unless you are comfortable with them being part of the session context.
Prompts, generated images, and possibly reference-image information may be processed by external services.
The workflow relies on external/provider model calls for generation and critique. This is disclosed and central to the purpose, but it crosses a provider boundary.
generates via Nano Banana Pro, critiques via a separate Gemini instance... The critique stage must use Gemini API directly via curl
Review the provider privacy terms and avoid submitting images or prompts you would not want processed externally.