OpenClaw Temperature
PassAudited by ClawScan on May 17, 2026.
Overview
This looks like a purpose-matched GIF-reaction skill, but it relies on a hosted service and generated API key, so avoid sharing its API-key or recharge links and keep metadata non-sensitive.
This skill appears coherent for adding occasional GIF reactions and does not show shell execution or arbitrary file reads. Install it only if you are comfortable with a hosted service receiving short reaction metadata and with a generated local API key. Do not share recharge links or API-key output, and keep any metadata summaries free of secrets or private conversation details.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a recharge link or chat output containing the key is shared, someone else may be able to use or affect that skill-specific API key.
The generated service API key is returned and embedded in a recharge URL in this code path. This is purpose-related account handling, but the full key should be treated as sensitive.
apiKey: resolved.apiKey, ... buyPageUrl: `${hostedApiBaseUrl}/recharge?api_key=${encodeURIComponent(resolved.apiKey)}`Do not share recharge links or full API-key output. The publisher should prefer masked keys, one-time checkout tokens, or server-side sessions instead of putting bearer-style keys in URLs.
Short context about the conversation may be sent to the hosted service when a reaction is requested.
The skill sends reaction metadata to an external hosted API. The artifacts disclose this and advise short, non-secret metadata, which makes the data flow purpose-aligned but still worth noticing.
It only sends the minimal reaction event passed by OpenClaw. ... Keep metadata short and avoid secrets.
Keep metadata summaries brief and non-sensitive; do not include credentials, private files, or full conversation transcripts.
A user may see a recharge or free-explanation link from the hosted service despite the free-beta framing.
The package contains a tested recharge-required fallback even though the public documentation emphasizes current free-beta use. The code does not show an automatic purchase, but users should know billing prompts are possible if the hosted API returns that state.
test("returns recharge-required for expired trials", async () => { ... assert.equal(result.mode, "recharge_required");Verify the service’s billing terms before relying on it, and avoid entering payment information unless the publisher clearly documents the current policy.