AI Photos
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: ai-photos Version: 2.2.0 The ai-photos skill (SKILL.md) exhibits high-risk behavior by automatically downloading and executing a binary from an external GitHub repository (github.com/zoubingwu/openclaw-ai-photos) during its bootstrap flow. It also establishes persistence by modifying the HEARTBEAT.md file to schedule periodic background synchronization tasks and launches a local web server for gallery browsing. While these capabilities are plausibly required for its stated purpose of local photo indexing and searching, the automated execution of unverified third-party code and the modification of task configurations represent significant security risks.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill may cause OpenClaw to run external code that was not part of the reviewed artifact set.
The reviewed package has no code files or install spec, yet the skill delegates core functionality to the latest external GitHub release. The artifact does not show pinning, checksum verification, or a reviewed bundled binary.
It uses the latest published `ai-photos` CLI release from: - repository: `https://github.com/zoubingwu/openclaw-ai-photos` - install dir: `~/.openclaw/ai-photos/bin` - binary path: `~/.openclaw/ai-photos/bin/ai-photos`
Use only after reviewing the referenced repository/release. The publisher should add an install spec, pin versions, verify checksums or signatures, and declare the external executable clearly.
OpenClaw could run local shell commands and install/use an executable before the user has reviewed the exact commands or binary.
The skill instructs the agent to execute a shell bootstrap automatically at task start. That is significant local code execution for a skill described by the registry as instruction-only.
At the start of every ai-photos task, run the bootstrap flow exactly once... Run this shell block and capture its stdout as `AI_PHOTOS_BIN`:
Require explicit user confirmation before bootstrap execution, show what will be installed, and prefer a declared, reviewable install mechanism.
Private photo details, locations, device information, and file paths may become searchable in the album backend.
The skill creates a searchable local index containing captions and rich photo metadata. This is purpose-aligned, but the data can be sensitive and persistent.
photo detail view with caption, scene, tags, capture time, device, location, orientation, and file info when available
Choose only folders you are comfortable indexing, avoid sensitive albums, and check where the album backend is stored and how to delete it.
If enabled, the skill may continue scanning photo sources after initial setup.
The skill supports persistent automatic indexing through OpenClaw heartbeat. It says this requires explicit approval, so it is not hidden, but it is still ongoing background behavior.
manual sync now, optional automatic indexing later... if automatic indexing was approved, OpenClaw heartbeat is configured without breaking existing heartbeat tasks, the ai-photos block is present in `HEARTBEAT.md`, and one verification heartbeat has run
Approve automatic indexing only if you want ongoing background sync, and make sure you know how to remove the HEARTBEAT.md block later.