Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
AI role play character image generation
v1.0.1Character-consistent AI image generation for agents. Same person, any outfit, any scene, every time. Use when: (1) Your agent needs to generate character ima...
⭐ 2· 181·0 current·0 all-time
bywujia@whbzju
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name and description (identity-preserving image generation) match the included CLI client and the declared requirements (python3 and AuraShot API keys). The included script and API reference call only AuraShot endpoints. One small inconsistency: SKILL.md claims the AuraShot backend is "stateless and stores nothing," but the API responses and public output URLs imply server-side storage of generated assets — this is an accuracy/marketing mismatch, not a credential mismatch.
Instruction Scope
SKILL.md instructs the agent to run the bundled Python CLI and to upload face images (local path or public URL). The script will search upward from CWD and in the home directory for a .aurashot.env file and will upload any local file path you pass to it. That behavior is expected for the task but means a mis-specified path or overly-broad agent action could result in arbitrary local files being uploaded. The script also includes an SSL fallback that creates an unverified SSL context when downloading images, which weakens transport security in some error cases.
Install Mechanism
No installation downloads or external installers are declared — the skill is instruction-plus-bundled-Python-script. There are no opaque remote archives or URL-shortened installers; the code uses only stdlib HTTP and file I/O and will run with python3 on the host.
Credentials
Only AURASHOT_API_KEY and AURASHOT_STUDIO_KEY are required (primaryEnv declared as AURASHOT_API_KEY), which is proportionate for a remote image-generation service. The script optionally uses AURASHOT_BASE_URL and will read a local .aurashot.env file for those keys. No other unrelated secrets are requested.
Persistence & Privilege
always:false (no forced inclusion). The skill runs as a normal user-invocable/autonomously-invocable skill. It writes downloaded outputs to user-specified directories and reads/writes a local .aurashot.env when the user follows the setup instructions — it does not attempt to modify other skills or global agent config.
Assessment
This skill appears coherent with its purpose, but before installing consider: (1) Privacy — you will be uploading face photos to https://www.aurashot.art; confirm the service's retention and privacy policy and avoid uploading photos of people without consent. (2) Limit scope — the CLI will upload any local path you pass it, so avoid passing paths you don't intend to share; use a disposable/test API key or account for initial testing. (3) Secrets handling — the skill suggests storing API keys in .aurashot.env (searched from CWD upward); do not commit that file to version control and prefer per-project config locations you control. (4) Transport security — the client includes a fallback to an unverified SSL context when downloading images; network errors may cause less-secure downloads. If this is a concern, review/modify the script to remove the fallback. (5) Content risks — SKILL.md explicitly allows all content types; ensure your usage complies with laws, platform policies, and consent requirements. If you want higher assurance, review the scripts/aurashot.py source yourself or run it in an isolated environment before allowing autonomous agent invocation.Like a lobster shell, security has layers — review code before you run it.
latestvk97bf3j1s56b9g38cpzw7023xx8452h9
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎭 Clawdis
Binspython3
EnvAURASHOT_API_KEY, AURASHOT_STUDIO_KEY
Primary envAURASHOT_API_KEY