Scan Report
5 /100
media-generation
Generate images, edit existing images, create short videos, run inpainting/outpainting and object-focused edits, use reference images as provider inputs, batch related media jobs from a manifest, and fetch returned media from URLs/HTML/JSON/data URLs/base64.
Legitimate media generation skill with no malicious behavior; all capabilities are declared in documentation and align with code functionality.
Safe to install
This skill is safe to use. No security concerns identified.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | WRITE | WRITE | ✓ Aligned | SKILL.md:line 58-63 declares tmp/images/ and tmp/videos/ writes |
| Network | READ | WRITE | ✓ Aligned | SKILL.md:line 1 declares image/video generation; POST requests to provider APIs … |
| Shell | WRITE | WRITE | ✓ Aligned | SKILL.md:line 1-13 describes scripts as 'bundled helpers' and 'functional helper… |
| Environment | READ | READ | ✓ Aligned | SKILL.md:line 136-147 declares OPENCLAW_MEDIA_PROVIDER, OPENCLAW_MEDIA_*_MODEL e… |
| Skill Invoke | WRITE | WRITE | ✓ Aligned | Scripts invoke each other via subprocess (e.g., mask_inpaint.py → edit_image.py) |
| Clipboard | NONE | NONE | — | No clipboard access found |
| Browser | NONE | NONE | — | No browser access found |
| Database | NONE | NONE | — | No database access found |
File Tree
17 files · 100.0 KB · 2493 lines Python 13f · 2014L
Markdown 4f · 479L
├─
▾
references
│ ├─
batch-workflows.md
Markdown
│ ├─
model-capabilities.md
Markdown
│ └─
reference-image-workflow.md
Markdown
├─
▾
scripts
│ ├─
edit_image.py
Python
│ ├─
fetch_generated_media.py
Python
│ ├─
generate_batch_media.py
Python
│ ├─
generate_consistent_media.py
Python
│ ├─
generate_image.py
Python
│ ├─
generate_video.py
Python
│ ├─
mask_inpaint.py
Python
│ ├─
media_request_common.py
Python
│ ├─
object_select_edit.py
Python
│ ├─
outpaint_image.py
Python
│ ├─
prepare_object_mask.py
Python
│ ├─
reference_media.py
Python
│ └─
smoke_test.py
Python
└─
SKILL.md
Markdown
Dependencies 2 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
requests | * | pip | No | Version not pinned; widely-used library with known vulnerabilities in old versions |
Pillow | * | pip | No | Version not pinned; image processing library |
Security Positives
✓ All subprocess calls use list-based arguments, preventing command injection
✓ API keys are read from config file only and sent directly to declared provider endpoints
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)
✓ No base64-encoded execution or obfuscation techniques
✓ No curl|bash or wget|sh remote script execution
✓ No credential harvesting beyond legitimate API key reading from config
✓ No data exfiltration to external IPs beyond provider API calls
✓ Documentation accurately describes all capabilities and workflows
✓ Output files are restricted to tmp/images/ and tmp/videos/ directories
✓ No persistence mechanisms (cron, startup hooks) detected
✓ All media download functionality uses proper URL parsing and validation