ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Openrouter Image Generation

v1.0.0

Generate or edit images through OpenRouter's multimodal image generation endpoint (`/api/v1/chat/completions`) using OpenRouter-compatible image models. Use...

0· 440·1 current·1 all-time
byYihan Wang@bawerlacher
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description, SKILL.md, and the Python script all implement OpenRouter image generation and editing (text->image and image->image). However the registry metadata declares no required environment variables or binaries, while the runtime clearly expects an OPENROUTER_API_KEY (or --api-key) and the README examples use 'uv run'. The missing declared requirements are disproportionate to the skill's real needs and are an inconsistency.
Instruction Scope
SKILL.md instructions and the script stay within the stated purpose: constructing a chat/completions request to openrouter.ai, optionally embedding a local input image as a data URL, and saving the returned base64 image to ~/.openclaw/media/outbound. The instructions do not ask for unrelated files or credentials beyond OpenRouter-specific values. Notes: the doc insists on running the script via an absolute path and examples use 'uv run' (a runtime not declared in metadata).
Install Mechanism
There is no install spec (instruction-only skill plus a local Python script). No external downloads or archive extracts are used. The included Python script is readable and uses only the stdlib for HTTP and base64; no unusual install-time behavior is present.
!
Credentials
The script requires an OpenRouter API key (OPENROUTER_API_KEY or --api-key) to operate and optionally reads OPENROUTER_SITE_URL and OPENROUTER_APP_NAME. The registry metadata nonetheless lists no required env vars or primary credential. That omission is a meaningful mismatch: the skill cannot function without that secret, so it should have declared it. Other than that, requested environment variables are proportional to the task and there are no unrelated credential requests.
Persistence & Privilege
The skill does not request 'always: true', does not modify other skills, and does not persist or elevate privileges. It only reads local files provided by the user and writes generated images to a contained OpenClaw media directory.
What to consider before installing
Before installing: (1) Expect to provide an OpenRouter API key (OPENROUTER_API_KEY or pass --api-key) — the registry metadata did not declare this, so verify you are comfortable supplying that secret. (2) The script sends your prompt and any input image to https://openrouter.ai; do not pass sensitive images or prompts you don't want sent to that service. (3) Examples use 'uv run' and require Python 3.10+; ensure your environment supports the recommended runtime or run the script directly with Python. (4) Review the included generate_image.py yourself (it's small and readable); it only posts to openrouter.ai and writes the base64 image result locally, but you should confirm the endpoint and headers are what you expect. (5) If you need the metadata to be accurate for policy/audit purposes, ask the publisher to update required env vars and declared binaries before deploying broadly.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a4p10ep23hjryr3kw4mhy5n81xc23

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments