ClawHub
Back to skill
v1.0.2

Openclaw-X-article-cover-generator

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 6:17 AM.

Analysis

This appears to be a purpose-aligned cover-image generator, but users should notice that it uses an external image API, an API key, and a runtime Python dependency.

GuidanceBefore installing, make sure you are comfortable sending the cover title, subtitle, and reference image to api.bltcy.ai and using a BLT_API_KEY with this helper. Run it in a controlled environment if dependency reproducibility matters, and choose the output path carefully.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
scripts/generate_cover.py
# dependencies = ["requests>=2.31.0"]

The helper declares a runtime dependency on requests using a version range rather than a fully pinned package version. This is ordinary for a small API client but is still a dependency-resolution consideration.

User impactRunning the helper with uv may resolve and use a compatible installed or downloaded requests package.
RecommendationIf you need reproducible installs, pin dependencies or run the script in a controlled environment.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
scripts/generate_cover.py
api_key = args.api_key or os.environ.get("BLT_API_KEY")
...
"Authorization": f"Bearer {api_key}"

The helper authenticates to the BLT image API with a user-provided API key. This is consistent with the stated image-generation purpose, but it is credential use that users should notice.

User impactUsing the skill requires trusting the BLT API key with the external image-generation request and any associated account or billing implications.
RecommendationUse a scoped or dedicated BLT API key if available, and avoid sharing the key in chat or committing it to files.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
scripts/generate_cover.py
"prompt": prompt,
        "aspect_ratio": "21:9",  # 5:2 nearest
        "image_size": size,
        "response_format": "url",
        "image": [ref],

The script sends the generated prompt and reference image input to the external BLT image-generation API. This is expected for the skill's purpose, but local reference images or titles may leave the user's environment.

User impactArticle titles, subtitles, and any local reference image provided to --reference can be transmitted to the external provider.
RecommendationDo not use confidential titles or reference images unless you are comfortable sending them to api.bltcy.ai.