Avatar Generator

Security checks across malware telemetry and agentic risk

Overview

The provided artifacts describe a local avatar generator with no credential or network use, with only a minor setup-metadata mismatch around Python/Pillow dependencies.

This looks safe for normal local avatar generation. The main thing to check is the setup: SKILL.md expects Python and Pillow even though the registry metadata does not declare install requirements.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

ASI04: Agentic Supply Chain Vulnerabilities

Low

What this means

The skill may require installing Python/Pillow even though the registry summary presents it as instruction-only with no requirements.

Why it was flagged

SKILL.md declares a Python runtime and an unpinned Pillow installation, while the registry metadata says there are no required binaries and no install spec. This is expected for a local image generator but is under-declared in the registry-level setup information.

Skill content

metadata: {"openclaw": {"emoji": "👤", "requires": {"bins": ["python3"], "env": []}}}
dependencies: "pip install pillow"

Recommendation

Before installing or using it, confirm you are comfortable installing Pillow from your normal trusted Python package source, and prefer pinned or reviewed dependencies when possible.