clawra-selfie
Pass
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill interacts with the fal.ai API (fal.run) to perform image editing and generation tasks using xAI's Grok Imagine model.
- [EXTERNAL_DOWNLOADS]: A reference image used for consistent agent appearance is fetched from a public jsDelivr CDN URL pointing to the vendor's official GitHub repository.
- [COMMAND_EXECUTION]: The installer script (
bin/cli.js) executes shell commands to install platform dependencies like the OpenClaw CLI and to manage file system operations within the user's home directory (~/.openclaw). - [COMMAND_EXECUTION]: Integration scripts (
.shand.tsfiles) execute theopenclawcommand-line tool to transmit generated images and messages to various messaging platforms such as Discord and Telegram. - [PROMPT_INJECTION]: The skill takes untrusted user input to construct image generation prompts. It uses
jqin shell scripts and template literals in TypeScript to properly escape this input, reducing the risk of unintended prompt behavior during the image generation phase.
Audit Metadata