clawaifu - OpenClaw Waifu
PassAudited by ClawScan on May 10, 2026.
Overview
This skill appears to do what it says: generate an anime-style image through fal.ai and send it to the configured Telegram chat when invoked.
Before installing, make sure you are comfortable giving the skill a fal.ai API key and Telegram bot/chat details, and understand that prompts and captions are sent to external services. Use a dedicated Telegram bot/chat if possible, keep credentials in environment variables, and ensure curl and jq are installed from trusted sources.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A casual prompt may cause the agent to generate and send an image to the configured Telegram chat.
The skill can run its selfie-sending Bash script, and its trigger list includes broad conversational prompts. This is aligned with the companion/selfie purpose, but users should understand that invocation results in an external Telegram send.
allowed-tools: Bash(grok-selfie.sh:*) Read ... User asks "what are you doing?", "how are you doing?", "where are you?"
Use it only with a Telegram chat you control, and adjust usage expectations if you want images sent only after explicit requests.
Anyone with these environment variables can use the configured fal.ai account and send photos through the configured Telegram bot/chat.
The skill requires credentials for fal.ai and Telegram. These credentials are expected for its stated purpose, and the documentation says to provide them via environment variables rather than hardcoding them.
FAL_KEY=your_fal_api_key ... BOT_TOKEN=your_telegram_bot_token ... TELEGRAM_CHAT_ID=your_chat_id
Use a dedicated Telegram bot and intended chat ID, keep the keys private, and rotate them if they are exposed.
Text included in the image context or caption is shared with external services.
The script sends the generated prompt/user context to fal.ai and sends the resulting image URL, and optional caption, to Telegram. These provider calls are disclosed and purpose-aligned.
curl -s -X POST "https://fal.run/xai/grok-imagine-image/edit" ... curl -s -X POST "https://api.telegram.org/bot$BOT_TOKEN/sendPhoto"
Avoid putting private or sensitive information in selfie prompts or captions unless you are comfortable sharing it with those providers.
The skill may fail or behave differently if curl or jq are missing or supplied by an unexpected local installation.
The skill has no install-time dependency enforcement even though SKILL.md documents curl and jq as dependencies and the included script uses them. This is a setup reliability/provenance note, not evidence of malicious behavior.
No install spec — this is an instruction-only skill. ... Required binaries (all must exist): none
Install curl and jq from trusted system package sources before use.