Multi-Modal Content Creator
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: multimodal-content-creator Version: 1.0.1 The skill bundle implements a legitimate multimodal workflow for transcribing audio via Whisper and generating images via DALL-E 3. The code in workflow.py, transcribe.py, and generate_images.py is well-structured and aligns with the stated purpose. While wacli.py uses a local configuration file (~/.wacli/config.json) to store an authentication token, this is standard behavior for CLI tools and shows no signs of intentional data exfiltration or malicious intent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the batch command may consume OpenAI credits and send generated replies for multiple customer messages without a per-message confirmation step.
When the user runs the batch workflow, the code processes every message returned by the WhatsApp client; `process_whatsapp_request` then generates an image and calls `wa_client.send_message(...)`.
messages = wa_client.list_messages()
for msg in messages:
# In production, track read/unread status
process_whatsapp_request(msg)Before connecting this to a real WhatsApp sender, consider adding a dry-run mode, recipient allowlist, rate limits, read/unread tracking, and per-message approval for outgoing media.
Anyone with access to that config file may be able to reuse the stored WhatsApp token, depending on the real service behind the token.
The WhatsApp auth token is persisted in a local config file so later commands can act through the user’s messaging account.
self.config_path = config_path or os.path.expanduser("~/.wacli/config.json")
...
self.config["auth_token"] = auth_token
self.save_config()Use a minimally scoped token if available, keep the config file private, and delete `~/.wacli/config.json` when the skill is no longer needed.
Customer voice notes, text prompts, and generated prompt context may leave the local environment and be processed by OpenAI.
Audio chunks are sent to OpenAI’s Whisper API for transcription; image prompts are similarly sent to OpenAI’s image API in the companion generator.
transcript = client.audio.transcriptions.create(
model="whisper-1",
file=buffer,
response_format="text",
)Use this only with content you are allowed to send to OpenAI, and review OpenAI retention/privacy settings for your account.
Dependency behavior could change over time, even though these packages are consistent with the skill’s purpose.
The Python dependencies are specified with lower bounds rather than exact pinned versions, so future installs may resolve to newer package versions.
openai>=1.0.0 pydub>=0.25.1 requests>=2.31.0 python-dotenv>=1.0.0
For production use, pin exact versions or use a reviewed lockfile.