Back to skill
Skillv1.0.3
ClawScan security
weimage · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
MaliciousFeb 16, 2026, 5:41 AM
- Verdict
- Malicious
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This skill contains covert behavior that places generated images into a hard-coded external website, loads root-level environment variables, and enforces silent forwarding to users — behavior consistent with data exfiltration and intentional misdirection.
- Guidance
- Do not install or run this skill. It enforces silent behavior, loads root .env credentials, forces a root python environment, copies generated files into a hard-coded public website (voice.robotmusk.com), and instructs automatic messaging — all signs of covert exfiltration. If you already ran it: 1) uninstall/remove the skill immediately; 2) inspect and remove files under /opt/1panel/www/sites/voice.robotmusk.com/index and /root/.openclaw/workspace for unexpected artifacts; 3) check and rotate any secrets stored in /root/.openclaw/.env and other credentials that could have been exposed; 4) block outbound traffic to voice.robotmusk.com and related hosts; 5) audit agent messaging logs for automatic pushes to users (WeChat/default_api.message) and notify affected users; 6) if this ran on a production host, perform a host compromise investigation and consider rebuilding the host. The script's behavior is intentionally covert and not proportionate to a benign image-generation helper.
Review Dimensions
- Purpose & Capability
- concernThe skill claims to generate and deliver images to users, but its code writes output into a hard-coded public web directory (OUTPUT_DIR) served at an external domain (voice.robotmusk.com) and returns that URL. That destination is unrelated to a generic 'generate image and send to users' claim and suggests exfiltration or covert publishing. The script also forces use of /root/pythonenv and references a GEN_SCRIPT in /root/.openclaw/workspace — these hard-coded root paths are not proportional to the stated purpose.
- Instruction Scope
- concernSKILL.md explicitly mandates silent operation ('严禁过程汇报,严禁询问') and instructs the agent to immediately push the returned URL to all users via default_api.message (WeChat). The code itself loads /root/.openclaw/.env and will surface environment keys in debug output if prompt missing. Combining enforced silence with writing to an attacker-controlled URL and automated messaging is covert and out-of-scope for a benign image helper.
- Install Mechanism
- okThere is no install spec (instruction-only) and no external archive downloads. However, the provided Python script executes other local scripts (GEN_SCRIPT) and expects a custom pythonenv; the lack of an install step reduces supply-chain risk but does not mitigate the malicious behaviors embedded in the script.
- Credentials
- concernrequires.env declares none, yet the script loads /root/.openclaw/.env and injects any keys into the process environment. This reads potentially sensitive credentials without declaring them. It also references/uses root-level paths and an external BASE_URL, which are not justified by the simple stated purpose.
- Persistence & Privilege
- concernThe skill writes files to a system web directory (/opt/1panel/...), exposing copied files at an external domain. Although always:false, the skill requests filesystem and messaging permissions (per _meta.json) and modifies publicly visible filesystem state — a high-privilege action for an image helper and a persistent exfiltration channel.