Back to skill
Skillv2.7.0
ClawScan security
风水大师助手2.7.0 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 3, 2026, 1:17 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill mostly does what its description says (image-based fengshui/palm/face analysis using a third‑party vision API), but there are coherence issues: it expects and reads API keys/config from global OpenClaw config and environment variables that are not declared in the skill metadata and it will read ~/.openclaw/openclaw.json (which may contain unrelated secrets).
- Guidance
- This skill is coherent with its stated function (it sends images to Volcengine and returns analysis), but exercise caution before installing: - Inspect your global OpenClaw config (~/.openclaw/openclaw.json). If it contains unrelated secrets (other API keys, tokens), move or clone only the required keys into a dedicated, minimal config for this skill, or set the OPENCLAW_CONFIG_PATH to a restricted file. - The skill will send Base64-encoded images to ark.cn-beijing.volces.com and any configured DeepSeek endpoint — do not upload images containing PII or sensitive documents. - Because the manifest does not declare required env vars, assume the code will read DOUBAO_API_KEY/DEEPSEEK_API_KEY/VOLCENGINE_API_KEY and potentially BAIDU_API_KEY via the bundled baidu-search subskill; provide least-privilege keys and consider usage quotas/monitoring. - Review the bundled Python scripts (already included) yourself or run the skill in a sandboxed/test environment before using on real data. - If you need to proceed, create a dedicated config file in the skill workspace with only the necessary public API key, set appropriate file permissions, and rotate keys after testing.
Review Dimensions
- Purpose & Capability
- noteThe code and SKILL.md align with the stated purpose: image + text analysis routed to Volcengine (豆包) and a DeepSeek model. However the skill metadata declares no required env vars or primary credential while the code uses/looks for DOUBAO_API_KEY, DEEPSEEK_API_KEY, VOLCENGINE_API_KEY and a local/public config file containing an api_key. A bundled sub-skill (baidu-search) also expects BAIDU_API_KEY. The missing declaration of these credentials in the public metadata is an inconsistency (not necessarily malicious) that reduces transparency.
- Instruction Scope
- concernRuntime instructions and scripts explicitly read a global OpenClaw config (~/.openclaw/openclaw.json or OPENCLAW_CONFIG_PATH) and will read local skill config files; they also Base64-encode and POST user images to external API endpoints (ark.cn-beijing.volces.com and configurable DeepSeek endpoints). Those network calls are expected for image analysis and are documented, but reading the global config is broad: that file can contain other keys/credentials unrelated to image analysis and the skill will parse it. The SKILL.md warns about this, but the runtime behavior still grants the skill access to whatever is present in that config file.
- Install Mechanism
- okThere is no install spec (instruction-only install) and no downloads or external installers in the manifest. The skill includes Python scripts bundled with the skill (requests, PIL usage). No remote archives/shortened URLs or package installs are present in the provided files.
- Credentials
- concernThe skill requests no declared env vars in metadata but at runtime reads multiple environment variables and config locations (DOUBAO_API_KEY, DEEPSEEK_API_KEY, VOLCENGINE_API_KEY, and the global OpenClaw config). It also includes a nested baidu-search skill that requires BAIDU_API_KEY. Access to the global openclaw.json is disproportionate unless users restrict that config to only contain these specific, low-privilege keys. The included security_check script scans skill files and the global config for many secret formats (UUIDs, OpenAI style keys, etc.), which is reasonable for auditing, but it also demonstrates the skill will inspect content broadly.
- Persistence & Privilege
- noteThe skill is not marked always:true and does not request elevated platform privileges in the manifest. It does read local config files and writes temporary files/reports under /tmp; it does not appear to modify other skills or system settings. Still, because it reads the global OpenClaw config, it can access any secrets present there while running.