ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

keevx-image-generate

v1.0.0

Use the Keevx API to generate images from prompts and reference images. Supports standard and professional modes, multiple quality levels (1K/2K/4K), various...

7· 157·0 current·0 all-time
by@baidu-xiling
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name/description match the SKILL.md (calling the Keevx image-generation API). However the registry metadata lists no required environment variables or credentials while the SKILL.md clearly requires KEEVX_API_KEY — this metadata omission is an incoherence.
!
Instruction Scope
Instructions tell the agent to upload local files (via multipart/form-data) and to optionally accept a callback_url that the service will POST to on completion. Uploading local files and providing callback URLs can expose user data externally; the skill does not limit or warn about sensitive files. The instructions otherwise stay within the stated purpose (image generation and status polling).
Install Mechanism
Instruction-only skill with no install spec or code files, so nothing is written to disk or fetched at install time — this is lower risk from an install perspective.
!
Credentials
The SKILL.md requires a single API key (KEEVX_API_KEY), which is proportional to the stated function. However the skill registry metadata does not declare this required environment variable or a primary credential — metadata mismatch reduces transparency and could hide necessary permission requirements. Also, callback behavior and file uploads mean the API key (and uploaded content) could be used/exposed to external endpoints.
Persistence & Privilege
The skill does not request always:true, has no install actions, and does not modify other skills or system configuration. It can run autonomously per platform defaults, which is expected for skills and not flagged by itself.
What to consider before installing
This skill appears to be a straightforward Keevx image-generation integration, but the registry metadata failed to declare the required KEEVX_API_KEY environment variable — ask the publisher to fix the metadata before installing. If you proceed, only provide an API key from a dedicated, least-privileged Keevx account. Be cautious about uploading local files (don’t upload sensitive images) because the skill instructs uploading files to the remote service, and providing a callback_url means the service will POST results to an external endpoint (which could leak data). Verify the Keevx domain and documentation (https://www.keevx.com and https://docs.keevx.com) yourself, and avoid using the skill with sensitive or private images until provenance and metadata are corrected.

Like a lobster shell, security has layers — review code before you run it.

latestvk975km1t27550gb9sjjn6jg6sh8350m3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments