Back to skill
Skillv1.0.0
ClawScan security
SiliconFlow 多模态服务,支持图片生成(FLUX/Qwen)、视频生成(Wan)、TTS语音合成、ASR语音识别。使用代金券支付。 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 2, 2026, 5:29 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and required SILICONFLOW_API_KEY align with its stated multimodal media purpose; nothing requests unrelated credentials or system access.
- Guidance
- This skill is internally consistent, but before installing: (1) confirm you trust the siliconflow.cn service and the API key you provide (the key gives the service access to use your voucher balance and process uploaded files); (2) be aware that any audio/images you pass will be uploaded to SiliconFlow servers; (3) ensure your runtime has the dependencies (requests, pillow) installed; and (4) if you need stricter privacy, avoid sending sensitive audio/images or use a vetted/private model provider instead.
Review Dimensions
- Purpose & Capability
- okName/description (multimodal media) match the included scripts (image, video, TTS, ASR). The single required env var (SILICONFLOW_API_KEY) is the API credential you would expect for a hosted media API. No unrelated binaries, config paths, or extra credentials are requested.
- Instruction Scope
- okSKILL.md instructs running the provided scripts and those scripts only: (1) read user-supplied files (audio/image) when appropriate, (2) POST to https://api.siliconflow.cn endpoints, and (3) download returned media URLs. There are no instructions to read unrelated files, scan system state, or send data to third parties beyond the siliconflow endpoints. Users should note that any files you pass (audio/images) are uploaded to the SiliconFlow service.
- Install Mechanism
- okNo install spec (instruction-only) is present; inclusion is low-risk. The repository contains runnable scripts but no automated downloads or external installers. The scripts list dependencies (requests, pillow) in comments — these are normal but may need to be installed in your runtime environment.
- Credentials
- okOnly SILICONFLOW_API_KEY is required and is used consistently as a Bearer token when calling the siliconflow API. No other secrets or unrelated environment variables are requested or accessed by the scripts.
- Persistence & Privilege
- okThe skill does not request permanent/always-on privileges (always: false). It does not modify other skills or system-wide configs. Autonomous invocation is allowed by default but not combined with other concerning factors here.