Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
WaveSpeed AI
v1.1.0Generate and edit images and videos using WaveSpeed AI's 700+ model library. Use when the user wants to generate images from text prompts (FLUX, Seedream, Qw...
⭐ 0· 657·2 current·2 all-time
byIlya@al1enjesus
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's stated purpose (WaveSpeed image/video generation) matches the code and model list: the CLI talks to api.wavespeed.ai and exposes model aliases. However the registry metadata says no required environment variables or primary credential, while both SKILL.md and the script clearly require WAVESPEED_API_KEY. That discrepancy is incoherent and important: a user installing this skill would not be warned that a secret is needed.
Instruction Scope
SKILL.md instructs the agent to check the WAVESPEED_API_KEY env var (and even suggests running echo $WAVESPEED_API_KEY). Asking the agent/user to echo an API key risks accidental leakage into logs or chat. The instructions also say to check TOOLS.md and to 'ask the user' if no key is found; those are reasonable, but the explicit echo advice is risky and unnecessary for normal operation.
Install Mechanism
There is no install spec (instruction-only) which lowers install risk. Minor packaging inconsistencies: README suggests installing 'axios form-data' but the shipped script only uses built-in https/fs and package.json lists no dependencies. This looks like sloppy packaging rather than active malicious behavior.
Credentials
The code requires WAVESPEED_API_KEY (process.env.WAVESPEED_API_KEY) and will exit if it's not set, yet the skill metadata declares no required env vars or primary credential. The SKILL.md also asserts the key is 'already set in all Clawster containers' — an unverifiable and suspicious claim. The instruction to echo the env var could expose the secret; environment access is more privileged than the metadata indicates.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and is user-invocable. It does not attempt to persist itself or change system-wide settings. No elevated persistence privileges are requested.
What to consider before installing
Key points before installing: (1) The skill actually requires WAVESPEED_API_KEY, but the metadata doesn't declare it — expect to provide that API key. (2) Do not run or instruct the agent to run commands that print your API key (e.g., 'echo $WAVESPEED_API_KEY') because that can leak the secret into logs or chat; instead copy the key privately into the agent's secure credential store. (3) Verify you trust the wavespeed.ai API and its pricing/terms; the script will send your key to api.wavespeed.ai and download URLs returned by that service. (4) The packaging is sloppy (README asks to install axios/form-data though the script uses built-ins), which suggests the repo wasn't carefully reviewed — inspect the code yourself or run it in a sandbox. (5) If you proceed, ask the maintainer to update the skill metadata to declare WAVESPEED_API_KEY as the primary credential and remove any guidance that prints secrets; consider auditing network endpoints and running the CLI in an isolated environment first.Like a lobster shell, security has layers — review code before you run it.
latestvk97f6s7975pktfvn7ekzgmzhkn81sshe
License
MIT-0
Free to use, modify, and redistribute. No attribution required.