← Back to Skills Marketplace

Sideload Avatar Generator

Name: Sideload Avatar Generator
Author: directivecreator

by DirectiveCreator · GitHub ↗ · v1.0.2

cross-platform ⚠ suspicious

812

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install sideload-avatar-generator

Description

Generate 3D avatars (VRM/GLB/MML) from text or images via Sideload.gg, paying $2 USDC per generation using any x402 wallet on Base.

Usage Guidance

This package appears to implement exactly what it claims — a Node.js CLI that posts prompts/images to sideload.gg and pays via an x402 token — but take these precautions before running it: 1) Treat the x402 token as a secret. Avoid passing it on the command line if others share the machine or if you care about it appearing in process listings or shell history; prefer a safer mechanism (stdin, ephemeral file, or an environment variable in a secure session) if possible. 2) Only upload images you intend to share: if you pass a local file path the script will base64-embed and send the file to the remote service (do not point it at sensitive files). 3) Verify the service domains (sideload.gg, aimml.sideload.gg, aimml.onrender.com) and, if concerned, inspect the included scripts (generate.js/status.js) yourself before running. 4) Ensure you have Node.js 18+ (the scripts use global fetch). 5) If you need higher assurance, confirm the upstream repository and release provenance (package.json points to a GitHub repo but the skill's homepage is missing in registry metadata).

Capability Analysis

Type: OpenClaw Skill Name: sideload-avatar-generator Version: 1.0.2 The skill is classified as suspicious due to a local file read vulnerability in `scripts/generate.js`. The script directly uses the `--image` argument to read local files (`readFileSync(imageInput)`) and base64-encodes their content for upload to `https://sideload.gg`. While intended for image files, this lacks input sanitization, allowing an attacker or a prompt-injected agent to potentially specify arbitrary file paths (e.g., `/etc/passwd`, `~/.ssh/id_rsa`), leading to local file disclosure to the third-party Sideload.gg service. There is no evidence of intentional malicious behavior, but this constitutes a significant vulnerability.

Capability Assessment

✓ Purpose & Capability

Name/description, required binary (node), packaged scripts, and network endpoints (sideload.gg) are consistent: the skill submits prompts/images, accepts an x402 payment token, polls for a job, and downloads results. No unrelated cloud credentials or binaries are requested.

ℹ Instruction Scope

Runtime instructions and included scripts only reference the Sideload API and result URLs. They read a local image file if you supply a path (and will base64-embed it into the request) and write downloaded outputs to an output directory. This is expected for an uploader/downloader, but it means any local file path you pass will be transmitted to the remote service.

✓ Install Mechanism

No remote install or arbitrary download is performed by the skill itself (it's instruction/code included in the bundle). It relies only on Node.js and npm (explicit npm install recommended). There are no suspicious external installers or obscure download URLs in the manifest.

⚠ Credentials

No environment variables or long-lived credentials are required. However, the tool expects an x402 payment token passed as a command-line argument (--x402-token). Passing secrets via CLI exposes them to other local users via process listings and may be recorded in shell history; additionally, uploading a local image path will transmit that file to sideload.gg (possible leakage of sensitive files if misused).

✓ Persistence & Privilege

The skill does not request persistent/always-on privileges, does not alter other skills or system-wide settings, and does not persist credentials. default autonomous invocation settings are unchanged.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install sideload-avatar-generator
After installation, invoke the skill by name or use /sideload-avatar-generator
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.2

Security: removed all private key handling. Skill never touches keys — pass x402 payment token via --x402-token. Added --probe to check cost. Zero dependencies.

v1.0.1

Security: declare X402_PRIVATE_KEY in metadata, add --x402-token for external signers (no private key required), emphasize dedicated wallet usage

v1.0.0

Generate 3D avatars (VRM/GLB/MML) from text or images via Sideload.gg with x402 payments

Metadata

Slug sideload-avatar-generator

Version 1.0.2

License —

All-time Installs 0

Active Installs 0

Total Versions 3

Frequently Asked Questions

What is Sideload Avatar Generator?

Generate 3D avatars (VRM/GLB/MML) from text or images via Sideload.gg, paying $2 USDC per generation using any x402 wallet on Base. It is an AI Agent Skill for Claude Code / OpenClaw, with 812 downloads so far.

How do I install Sideload Avatar Generator?

Run "/install sideload-avatar-generator" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Sideload Avatar Generator free?

Yes, Sideload Avatar Generator is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Sideload Avatar Generator support?

Sideload Avatar Generator is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Sideload Avatar Generator?

It is built and maintained by DirectiveCreator (@directivecreator); the current version is v1.0.2.

More Skills