Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Image Gen
v0.1.0Generate AI images from text prompts. Triggers on: "生成图片", "画一张", "AI图", "generate image", "配图", "create picture", "draw", "visualize", "generate an image".
⭐ 0· 456·0 current·0 all-time
by@0xfango
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to call the Labnana image API (base URL https://api.labnana.com) but requires a credential named LISTENHUB_API_KEY. The mismatch between 'Labnana' and 'ListenHub', plus the lack of homepage or source, is unexplained and could indicate sloppy naming or an incorrect/misleading credential requirement. Otherwise, required capabilities (saving generated images locally, building API requests) are consistent with an image-generation skill.
Instruction Scope
The SKILL.md is detailed and scoped to image generation: it collects parameters via the AskUserQuestion tool, assembles a JSON request, posts to the stated API endpoint, and decodes base64 responses to files. It also mandates reading several shared docs (shared/authentication.md, shared/config-pattern.md, shared/output-mode.md, shared/common-patterns.md) which are not part of the skill bundle—these may be platform-provided, but their absence in the package means the runtime behavior depends on external documentation. The skill will create config files under .listenhub/image-gen and write files to /tmp and .listenhub. It also allows up to 14 external reference image URLs which will be referenced in the API request.
Install Mechanism
Instruction-only skill with no installation spec and no bundled code. This is the lowest-risk install mechanism because nothing is downloaded or written by an installer. Runtime behavior is driven by SKILL.md instructions.
Credentials
The skill requires a single environment variable LISTENHUB_API_KEY which is plausible for an API-based image generator. However, the declared primaryEnv name (LISTENHUB_API_KEY) does not match the API host (labnana.com) referenced in the instructions. Additionally the runtime also instructs reading a config file for API key checks; it's unclear whether the API key is expected in env, config file, or both. The mismatch and dual source for credentials warrant confirmation before providing secrets.
Persistence & Privilege
The skill is not always-enabled and does not request system-wide privileges. It will create and write configuration and output files under .listenhub/image-gen and temporary files under /tmp; this is reasonable for an image generator but you should expect those local files to be created and stored. The skill does not modify other skills or global settings.
What to consider before installing
This skill appears to implement an image-generation flow, but there are a few things to check before installing: 1) Verify the provider and credential: the instructions call api.labnana.com but the required env var is LISTENHUB_API_KEY — ask the author which service the key is for and whether the key is scoped to image generation only. 2) Because the skill will create .listenhub/image-gen/config.json and save images under .listenhub/image-gen/, confirm you are comfortable with those local files and where they will be stored. 3) The skill references several shared docs that weren't included; ask what those are and what they instruct (especially the authentication and config patterns). 4) Provide a limited-scope or test API key first (not high-privilege production keys) until you confirm behavior. 5) If you plan to supply private reference-image URLs, note they will be submitted as fileUri entries in the API request—avoid sending sensitive internal URLs unless you trust the remote API and have confirmed data handling. If the author can clarify the Labnana vs ListenHub naming and supply a homepage or source repository, that would raise confidence.Like a lobster shell, security has layers — review code before you run it.
latestvk97dy5hfe1bgv09j1vdjwa4bn182x0s8
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🖼️ Clawdis
EnvLISTENHUB_API_KEY
Primary envLISTENHUB_API_KEY