ClawHub

OpenClaw Role Builder

v1.0.2

Build and manage OpenClaw roles — create a full AI character role from any public figure or fictional character, then generate identity-consistent selfies an...

0· 62·0 current·0 all-time
byAustin Zhou@zhouyi531
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill claims to create/manage OpenClaw roles and generate identity-consistent images via the TuQu API. The declared requirement (python3), the workspace paths (~/.openclaw/...), and included scripts (register_role.py, shift_role.py, tuqu_request.py) match those capabilities and are proportionate to the described functionality.
Instruction Scope
SKILL.md and sub-skill documents describe only reading/writing under ~/.openclaw and reading their own bundled reference files. The persona workflows explicitly operate on workspace files and (when needed) profile images in the workspace and call the TuQu API. There are no instructions to read arbitrary system files or to exfiltrate data, but several operations perform filesystem moves within ~/.openclaw (shift_role.py).
Install Mechanism
No installer or remote download is used; this is an instruction+script package that runs local Python helpers. That keeps disk writes limited to the bundled scripts and the user's ~/.openclaw workspace. Risk is low from the install mechanism itself.
Credentials
The skill does not require environment variables and documents passing the TuQu service key via a --service-key CLI flag per request (credentialSetup is documented). This is reasonable for per-role keys, but the runtime behavior relies on the tuqu_request.py helper to never persist or leak keys and to restrict hosts. The metadata does not list required env vars (which is consistent) but you should verify the helper actually enforces the claimed handling.
Persistence & Privilege
always:false and user-invocable are set. The scripts write and move files only under ~/.openclaw (ROLES.json and workspace directories). The shift script moves directories within that area; it does not attempt to modify other skills or system-wide settings. No evidence of privileged persistence or always-on behavior.
Assessment
This package appears coherent for creating persona files and calling the TuQu photo API. Before installing or running: 1) Inspect scripts/tuqu_request.py to confirm it only contacts the documented hosts (photo.tuqu.ai, billing.tuqu.ai), does not write service keys to disk or logs, and does not accept arbitrary remote URLs to execute. 2) Backup any existing ~/.openclaw directory (shift_role.py will move workspaces). 3) Prefer passing TuQu keys via the CLI flag as documented and never paste keys into chat. 4) If you allow autonomous agent invocation, be aware the model could call the bundled helper to perform network requests (so verify the helper's host restrictions and logging behavior). If those checks are satisfactory, the skill's requirements and behavior are proportionate to its stated purpose.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e19r053bvpm4vesff9w7m1s83rpg3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎭 Clawdis
OSLinux · macOS · Windows
Any binpython3

Comments