Design With Hopola
ReviewAudited by ClawScan on May 1, 2026.
Overview
Hopola appears to be a disclosed generation-and-upload workflow, but users should know it uses an OpenClaw key, external services, local uploaded files, and may consume credits.
Before installing, make sure you trust the publisher, understand that generation can consume credits, and only provide files you are willing to upload to the documented external services. Use stage-based execution or disable automatic uploads when you want tighter control.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone installing it should expect to provide a gateway key that can authorize generation calls and related account usage.
The skill requires an OpenClaw gateway key and access to network and local files for its core workflow.
required_credentials: - OPENCLOW_KEY required_permissions: - network:http - local_file:read
Use a dedicated, scoped OpenClaw key if available, monitor usage, and remove the key when you no longer need the workflow.
Running the full pipeline or generation stages may consume paid credits or quota once the key is configured.
The documentation discloses that authenticated generation calls can trigger real generation and credit deduction.
计费保护:无 `OPENCLOW_KEY` 不会进入生成调用;仅在网关鉴权通过时触发真实生成链路与积分扣减。
Run only the stages you need, confirm prompts and inputs before generation, and watch account credit usage.
Images or files you provide for generation/upload can leave the local environment and be processed by external providers.
The skill discloses that user-provided local or session images may be read and uploaded through external services.
外部网络域名:`hopola.ai`(Gateway 工具发现与调用)、`strategy.stariidata.com`(上传策略获取...)。 本地文件访问用途:仅用于读取用户输入文件和会话上传图片并执行上传
Only provide files you are comfortable uploading, disable automatic session-image upload when not needed, and avoid using sensitive personal or confidential images.
Users have less provenance information when deciding whether to trust a skill that uses external services and credentials.
The registry metadata does not provide an independently verifiable source or homepage for the skill.
Source: unknown Homepage: none
Install only if you trust the publisher, and review the included documentation and scripts before configuring credentials.