AI Photos
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill’s photo-album purpose is understandable, but it tells the agent to automatically install and run an unpinned external CLI while also indexing private local photos and metadata.
Review the referenced GitHub project before installing. If you proceed, choose narrow photo folders, confirm where the album data is stored, and enable automatic indexing only if you are comfortable with ongoing background scans.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill may cause OpenClaw to run external code that was not part of the reviewed artifact set.
The reviewed package has no code files or install spec, yet the skill delegates core functionality to the latest external GitHub release. The artifact does not show pinning, checksum verification, or a reviewed bundled binary.
It uses the latest published `ai-photos` CLI release from: - repository: `https://github.com/zoubingwu/openclaw-ai-photos` - install dir: `~/.openclaw/ai-photos/bin` - binary path: `~/.openclaw/ai-photos/bin/ai-photos`
Use only after reviewing the referenced repository/release. The publisher should add an install spec, pin versions, verify checksums or signatures, and declare the external executable clearly.
OpenClaw could run local shell commands and install/use an executable before the user has reviewed the exact commands or binary.
The skill instructs the agent to execute a shell bootstrap automatically at task start. That is significant local code execution for a skill described by the registry as instruction-only.
At the start of every ai-photos task, run the bootstrap flow exactly once... Run this shell block and capture its stdout as `AI_PHOTOS_BIN`:
Require explicit user confirmation before bootstrap execution, show what will be installed, and prefer a declared, reviewable install mechanism.
Private photo details, locations, device information, and file paths may become searchable in the album backend.
The skill creates a searchable local index containing captions and rich photo metadata. This is purpose-aligned, but the data can be sensitive and persistent.
photo detail view with caption, scene, tags, capture time, device, location, orientation, and file info when available
Choose only folders you are comfortable indexing, avoid sensitive albums, and check where the album backend is stored and how to delete it.
If enabled, the skill may continue scanning photo sources after initial setup.
The skill supports persistent automatic indexing through OpenClaw heartbeat. It says this requires explicit approval, so it is not hidden, but it is still ongoing background behavior.
manual sync now, optional automatic indexing later... if automatic indexing was approved, OpenClaw heartbeat is configured without breaking existing heartbeat tasks, the ai-photos block is present in `HEARTBEAT.md`, and one verification heartbeat has run
Approve automatic indexing only if you want ongoing background sync, and make sure you know how to remove the HEARTBEAT.md block later.