clawra-selfie

The skill demonstrates coherent purpose-capability alignment and data flow for editing and distributing AI-generated selfies using standard external APIs and messaging gateways. There are reasonable security concerns around environment-variable credentials and outbound data flows, but nothing evidence-based indicates credential harvesting or malicious behavior. Treat as SUSPICIOUS for credential exposure surfaces and data-privacy considerations, but BENIGN regarding direct malicious action given the stated intent.

The skill demonstrates coherent purpose-capability alignment and data flow for editing and distributing AI-generated selfies using standard external APIs and messaging gateways. There are reasonable security concerns around environment-variable credentials and outbound data flows, but nothing evidence-based indicates credential harvesting or malicious behavior. Treat as SUSPICIOUS for credential exposure surfaces and data-privacy considerations, but BENIGN regarding direct malicious action given the stated intent.

No clear evidence of intentionally malicious code is present in this file; its functionality matches an image-generation-and-send utility. However, there is a significant security issue: the code builds and executes a shell command (openclaw CLI) by interpolating user-provided values without escaping or validation, leading to command injection risk. The script also sends prompts and API keys to external services (expected for operation), and will POST message contents to a gateway URL that could be attacker-controlled if environment variables are compromised. Recommend sanitizing/escaping shell arguments or using child_process.spawn with argument arrays (or avoiding CLI execution entirely), validating/whitelisting OPENCLAW_GATEWAY_URL, and avoiding logging secrets. Treat the module as functionally legitimate but moderately risky until fixes are applied.

No clear evidence of intentionally malicious code is present in this file; its functionality matches an image-generation-and-send utility. However, there is a significant security issue: the code builds and executes a shell command (openclaw CLI) by interpolating user-provided values without escaping or validation, leading to command injection risk. The script also sends prompts and API keys to external services (expected for operation), and will POST message contents to a gateway URL that could be attacker-controlled if environment variables are compromised. Recommend sanitizing/escaping shell arguments or using child_process.spawn with argument arrays (or avoiding CLI execution entirely), validating/whitelisting OPENCLAW_GATEWAY_URL, and avoiding logging secrets. Treat the module as functionally legitimate but moderately risky until fixes are applied.