ClawHub

clawaifu - OpenClaw Waifu

v1.0.14

Your AI waifu companion that sends anime-style selfies

4· 1.7k·3 current·3 all-time
bySwan C@swancho
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (anime selfie sender) matches the actual behavior: calls fal.run Grok Imagine edit API to edit a fixed reference image and posts the result to Telegram. Required tools (curl, jq) and environment variables (FAL_KEY, BOT_TOKEN, TELEGRAM_CHAT_ID) are consistent with that purpose.
Instruction Scope
SKILL.md and grok-selfie.sh are consistent: the script only reads the declared environment variables, a fixed reference image URL, constructs a prompt, calls the fal.run edit endpoint, and posts the returned image URL to Telegram. Instructions do not request access to unrelated files, credentials, or system state.
Install Mechanism
No install spec — instruction-only with a small shell script. This is low risk; nothing is downloaded or installed by the skill itself.
Credentials
The three required environment variables (FAL_KEY, BOT_TOKEN, TELEGRAM_CHAT_ID) are directly used by the script for the model API and Telegram posting. No unrelated secrets or extra credentials are requested.
Persistence & Privilege
Skill is not always-enabled and does not alter other skills or system-wide config. It runs only when invoked and does not request persistent elevated privileges.
Assessment
This skill is internally coherent, but take these practical precautions before installing: 1) Treat FAL_KEY and BOT_TOKEN as sensitive secrets — provide them via secure environment variable injection and rotate if accidentally exposed. 2) The script sends the FAL_KEY as an Authorization header to fal.run (expected) and uses your BOT_TOKEN to post images to Telegram — if the bot token is leaked, an attacker can control that bot. 3) The reference image is an externally hosted Reddit URL and the script prompts to generate images of a named copyrighted character (Reze from Chainsaw Man); consider legal/terms-of-service implications of generating or distributing such images. 4) Verify you trust the external model endpoint (https://fal.run) before giving it your API key. 5) If you need stricter logging or failure handling, be aware the script echoes the raw API response on failure which might include error details — consider limiting output in shared environments.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e5x22p8v32kcnftr5vjcn15810kfg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvFAL_KEY, BOT_TOKEN, TELEGRAM_CHAT_ID
Primary envFAL_KEY

Comments