ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

liblib-comfyui-fusion

v1.0.0

Generate product background fusion images via LiblibAI ComfyUI app API using signed AccessKey/SecretKey requests. Use when user asks for Liblib Comfy app gen...

0· 90·0 current·0 all-time
byzhangmin@1213qwerwef

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for 1213qwerwef/liblib-comfyui-fusion.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "liblib-comfyui-fusion" (1213qwerwef/liblib-comfyui-fusion) from ClawHub.
Skill page: https://clawhub.ai/1213qwerwef/liblib-comfyui-fusion
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install liblib-comfyui-fusion

ClawHub CLI

Package manager switcher

npx clawhub@latest install liblib-comfyui-fusion
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, SKILL.md, and the Python client implement Liblib ComfyUI submission, polling, and optional Cloudflare R2 upload — this aligns with the stated purpose. However, the registry metadata claims no required env vars or binaries while the SKILL.md and script require LIB_ACCESS_KEY and LIB_SECRET_KEY (and optionally R2 creds and python/boto3). That mismatch is unexpected.
!
Instruction Scope
SKILL.md instructs use of LIB_ACCESS_KEY / LIB_SECRET_KEY and to run scripts/liblib_client.py. The Python script accesses additional environment variables (R2_* defaults, FEISHU_TEXT) and performs network I/O (calls openapi.liblibai.cloud, downloads returned image URLs) and optional upload to R2. These actions are consistent with the feature, but SKILL.md and package metadata do not fully document all env vars and binary/runtime requirements (python3, boto3). The script also prints full task JSON to stderr (could include sensitive metadata).
!
Install Mechanism
There is no install spec (instruction-only style), but the package includes a Python client that depends on python3 and boto3. The plugin's Node entrypoint attempts to spawn a Python process named 'client.py' (index.js: spawn('python3', ['client.py', ...])). The actual Python file is scripts/liblib_client.py, so the entrypoint is likely broken — runtime failure or confusion. The lack of declared runtime dependencies (python3, boto3, requests) is an inconsistency.
!
Credentials
SKILL.md explicitly requires LIB_ACCESS_KEY and LIB_SECRET_KEY — appropriate for signing requests to Liblib. The Python client also accepts/reads multiple R2-related environment variables (R2_ENDPOINT, R2_ACCESS_KEY, R2_SECRET_KEY, R2_BUCKET, PUBLIC_URL_BASE) and FEISHU_TEXT; these are not declared in the registry metadata. Because R2 credentials grant write access to an S3-compatible bucket, request for them is only justified if you plan to upload local images; the skill does not declare which envs are mandatory vs optional, nor declare a primary credential.
Persistence & Privilege
The skill does not request always:true and does not attempt to modify other skills or system-wide settings. It writes outputs into a workspace/outputs directory (normal for a generator) and prints MEDIA: lines for Feishu integration. No excessive persistence or privilege escalation is requested.
What to consider before installing
This skill appears to implement Liblib ComfyUI generation, but there are several red flags and missing details you should address before installing or running it: - Declare and provide credentials only if you trust the endpoint: the script requires LIB_ACCESS_KEY and LIB_SECRET_KEY for Liblib API signing. Only supply these to trusted code/hosts. - The client can optionally upload local images to an S3-compatible R2 bucket. That requires R2_ACCESS_KEY / R2_SECRET_KEY (write access). Only provide R2 credentials if you understand and control the target bucket; otherwise use --local-image-mode data-uri to avoid uploading. - Runtime requirements are undeclared: the package expects python3 and the Python dependencies requests and boto3 (boto3 only needed for R2 uploads). Ensure these are installed from trusted sources; the package.json does not declare them. - The Node entrypoint appears broken: index.js spawns 'client.py' but the actual script is scripts/liblib_client.py. Expect a runtime error unless the wrapper or packaging is fixed. Ask the author to fix the entrypoint so the skill runs as documented. - The script prints the full API task JSON to stderr. That JSON may contain metadata you consider sensitive — check it before sharing or storing. - Network behavior: the tool contacts https://openapi.liblibai.cloud and downloads images from URLs produced by that API. If you do not trust those endpoints or the images they return, consider running this in an isolated environment. If you decide to proceed: get a corrected package (fix entrypoint), verify source/trust of the code, only provide the minimal credentials needed (or use data-uri mode), and run it in an environment where workspace/outputs is isolated. If you cannot validate the code origin, treat it as untrusted and do not supply secrets.
index.js:8
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk976zba5cxmg75xkj0qcqh6yn984hmra
90downloads
0stars
1versions
Updated 2w ago
v1.0.0
MIT-0
zhangmin@1213qwerwef
latest
Download

Liblib Comfy Fusion Generation

Generate images with LiblibAI ComfyUI App API (template-based workflow). Supports public image URL or local file.

For local files from Feishu, the recommended flow is:

  1. upload the local file to R2 (S3-compatible) to get a public URL
  2. use that public URL as the Liblib LoadImage input
  3. return the Liblib result imageUrl as MEDIA:https://... so Feishu displays it directly

Prerequisites

Environment variables must be set:

  • LIB_ACCESS_KEY — API access key
  • LIB_SECRET_KEY — API secret key

Usage

Run the CLI at scripts/liblib_client.py:

# Public URL input
python3 scripts/liblib_client.py run --image-url "https://example.com/input.jpg"

# Local file (Feishu inbound attachment) → upload to R2 → use public URL
python3 scripts/liblib_client.py run --local-image "/path/to/input.png" --basename "product-fusion"

# Local file (advanced): embed as data URI (only if Liblib accepts it)
python3 scripts/liblib_client.py run --local-image "/path/to/input.png" --local-image-mode data-uri

# Parse URL from Feishu message text
python3 scripts/liblib_client.py run --feishu-text "请处理这个图 https://example.com/input.jpg"

# Submit only (no poll)
python3 scripts/liblib_client.py run --local-image "./input.jpg" --no-poll

# Query task status
python3 scripts/liblib_client.py status <generateUuid>

Output and Feishu 回传

  • After a successful run (generateStatus=5), the script downloads images[].imageUrl into workspace/outputs/images/YYYY-MM-DD/<basename>.(png|jpg|...) (override with --output-dir).
  • stdout prints a single line: MEDIA:./outputs/images/YYYY-MM-DD/<file> (relative to workspace/). Use this with OpenClaw Feishu channel so the image appears in the current chat without extra API calls.
  • Full task JSON is printed to stderr for debugging.
  • If MEDIA: is not supported in your channel, use feishu-uploader with --receive-id-type chat_id and the group chat_id, or --open-id for DM.

Parameters (run)

FlagMeaning
--local-imageLocal path; takes priority over URL. Default mode uploads to R2 and uses public URL.
--local-image-moder2 (default) or data-uri.
--image-urlPublic URL the Liblib servers can fetch.
--feishu-text / FEISHU_TEXTExtract first http(s) URL from text.
--output-dirDefault: <workspace>/outputs/images.
--basenameFilename stem (default liblib-fusion).
--no-downloadSkip downloading result files.
--no-print-mediaDo not print MEDIA: line; stdout prints absolute path of first saved file instead.

API Details

  • Submit endpoint: POST /api/generate/comfyui/app
  • Status endpoint: POST /api/generate/comfy/status
  • Auth query params: AccessKey, Signature, Timestamp, SignatureNonce
  • Signature algorithm:
    • content = uriPath & Timestamp & SignatureNonce
    • HMAC-SHA1(secretKey, content)
    • URL-safe Base64 without trailing =

Async Pattern

  1. Submit task to get generateUuid
  2. Poll status endpoint until generateStatus is 5 (success) or 6 (failed)
  3. Read images[].imageUrl when successful

Notes

  • URL input: must be publicly reachable by Liblib.
  • Local input: default uses R2 upload to produce a public URL. Requires boto3.
  • Returned image URLs are temporary (typically ~7 days).
  • If API returns content review errors, try a different source image or URL.

Comments

Loading comments...