Back to skill
Skillv1.0.0
ClawScan security
Openrouter Image Generation · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousFeb 26, 2026, 7:02 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions match the described OpenRouter image-generation purpose, but the package metadata omits key runtime requirements (notably the OPENROUTER_API_KEY and the 'uv' invocation pattern), creating an incoherence you should understand before installing.
- Guidance
- Before installing: (1) Expect to provide an OpenRouter API key (OPENROUTER_API_KEY or pass --api-key) — the registry metadata did not declare this, so verify you are comfortable supplying that secret. (2) The script sends your prompt and any input image to https://openrouter.ai; do not pass sensitive images or prompts you don't want sent to that service. (3) Examples use 'uv run' and require Python 3.10+; ensure your environment supports the recommended runtime or run the script directly with Python. (4) Review the included generate_image.py yourself (it's small and readable); it only posts to openrouter.ai and writes the base64 image result locally, but you should confirm the endpoint and headers are what you expect. (5) If you need the metadata to be accurate for policy/audit purposes, ask the publisher to update required env vars and declared binaries before deploying broadly.
Review Dimensions
- Purpose & Capability
- concernName/description, SKILL.md, and the Python script all implement OpenRouter image generation and editing (text->image and image->image). However the registry metadata declares no required environment variables or binaries, while the runtime clearly expects an OPENROUTER_API_KEY (or --api-key) and the README examples use 'uv run'. The missing declared requirements are disproportionate to the skill's real needs and are an inconsistency.
- Instruction Scope
- okSKILL.md instructions and the script stay within the stated purpose: constructing a chat/completions request to openrouter.ai, optionally embedding a local input image as a data URL, and saving the returned base64 image to ~/.openclaw/media/outbound. The instructions do not ask for unrelated files or credentials beyond OpenRouter-specific values. Notes: the doc insists on running the script via an absolute path and examples use 'uv run' (a runtime not declared in metadata).
- Install Mechanism
- okThere is no install spec (instruction-only skill plus a local Python script). No external downloads or archive extracts are used. The included Python script is readable and uses only the stdlib for HTTP and base64; no unusual install-time behavior is present.
- Credentials
- concernThe script requires an OpenRouter API key (OPENROUTER_API_KEY or --api-key) to operate and optionally reads OPENROUTER_SITE_URL and OPENROUTER_APP_NAME. The registry metadata nonetheless lists no required env vars or primary credential. That omission is a meaningful mismatch: the skill cannot function without that secret, so it should have declared it. Other than that, requested environment variables are proportional to the task and there are no unrelated credential requests.
- Persistence & Privilege
- okThe skill does not request 'always: true', does not modify other skills, and does not persist or elevate privileges. It only reads local files provided by the user and writes generated images to a contained OpenClaw media directory.