ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Cloudflare Image Generation

v1.0.0

Generate images using Cloudflare Workers AI flux-1-schnell model. Use when user requests image generation with text-to-image using Cloudflare Workers API.

0· 1.1k·6 current·6 all-time
by@expysf98
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (Cloudflare image generation) match the included script which calls Cloudflare's AI endpoint; functionality is coherent. However, instead of asking the user to provide their own Cloudflare credentials, the skill contains hard-coded Account ID and Token in SKILL.md and the script, which is unexpected for a shared skill.
!
Instruction Scope
Runtime instructions reference absolute paths under /home/ubuntu/.openclaw and explicitly instruct sending the result via Telegram even though no Telegram credentials or integration are declared. The script writes API responses to /tmp/cf_response.json and uses hardcoded credentials — these broaden the scope beyond a minimal image-generation helper.
Install Mechanism
No install spec (instruction-only + a small script). Nothing is downloaded or installed by the skill itself.
!
Credentials
No required env vars are declared, yet a bearer token and account ID are embedded in both SKILL.md and the script. Publishing credentials inside the skill is disproportionate and risky — anyone with the skill can use that token. The skill also instructs sending images via Telegram without declaring or requesting Telegram credentials.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system settings, and does not request elevated or persistent platform privileges.
What to consider before installing
Do not install or run this skill as-is. It embeds a Cloudflare bearer token and account ID in SKILL.md and the script — credentials should never be hard-coded in shared skills. If you are the owner and intend to use this skill safely: (1) remove the embedded token and require users to supply their own credentials via environment variables or a secure secrets mechanism; (2) replace shell-based curl with a safe HTTP call (e.g., python requests or subprocess.run with a list of arguments) to avoid shell injection risks from untrusted prompts; (3) avoid instructing sending images via Telegram unless the skill declares and uses Telegram credentials securely; (4) if the included token might be real, assume it is compromised and rotate/revoke it immediately. If you need help making these fixes, request a version that uses environment variables for credentials and safe HTTP calls.

Like a lobster shell, security has layers — review code before you run it.

latestvk974fs31fb0ry8psbn8a05t7e981ng7b
1.1kdownloads
0stars
1versions
Updated 8h ago
v1.0.0
MIT-0
@expysf98
latest
Download

Cloudflare Image Generation

This skill generates images using Cloudflare Workers AI @cf/black-forest-labs/flux-1-schnell model.

Credentials

  • Account ID: 1e89d3ce76cbfef3b5c340e3984b7a52
  • Token: aCTA2KaKa1n3ayFDL-LPmZ-JgUC0HHgA5Msy18Bk
  • Model: @cf/black-forest-labs/flux-1-schnell

Usage

Run the script directly:

python3 /home/ubuntu/.openclaw/workspace/skills/cloudflare-image-gen/scripts/generate_image.py "your prompt here" -o output.png

Or use the Python function:

import sys
sys.path.insert(0, '/home/ubuntu/.openclaw/workspace/skills/cloudflare-image-gen/scripts')
from generate_image import generate_image

output_path = generate_image("a black horse")

Output

The script saves the generated image as PNG and returns the file path. Send the image to the user via Telegram.

Comments

Loading comments...