Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Product Image Generator
v1.0.0Generates professional product images for e-commerce platforms (Amazon, Shopify, eBay, etc.). Supports 8 visual styles and 6 scene types optimized for differ...
⭐ 0· 325·0 current·0 all-time
byYang Jun@boyd4y
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description and the large set of documentation files are coherent for an image‑generation/creative workflow. However, the skill claims to 'generate images' but provides no code, no install, and no explicit image generation backend (no API calls, no model, no included binary). The SKILL.md examples call a /product-image-generator executable and show generated image files, but that binary or any image engine is not part of the package — this gap should be justified by the author (e.g., requires a separate image generator or platform service).
Instruction Scope
Runtime instructions reference reading and writing preferences (EXTEND.md) at both project (.teamclaw-skills/) and user ($HOME/.teamclaw-skills/...) paths, instruct the agent to run a local '/product-image-generator' command, and assume the ability to create files under product-images/. The skill metadata declared no required config paths, but the instructions clearly touch the user's filesystem. The SKILL.md is also vague about the actual image generation step (which tool/API to call), leaving broad discretionary behavior to the agent.
Install Mechanism
There is no install spec and no code to download or execute from external URLs, which reduces supply‑chain risk. Because it's instruction-only, nothing in the manifest will automatically be written to disk by an installer. The remaining risk is runtime: the instructions expect a binary or external tool to exist.
Credentials
The skill requests no environment variables or credentials (good). However, it expects to save and load preference files at project and user locations (e.g., $HOME/.teamclaw-skills/product-image-generator/EXTEND.md) without those paths being declared in metadata; this grants the skill write access to the user's home directory which should be considered before use.
Persistence & Privilege
always:false and no special privileges are requested. The skill will persist user preferences in its own config files (EXTEND.md) if the agent follows the instructions — that is a normal behavior for a user‑level tool and not an elevated privilege.
What to consider before installing
This skill's docs and presets look legitimate for producing e‑commerce images, but important runtime details are missing. Before installing or running it: 1) Ask the author what actually generates the PNGs (local binary, local image model, or an external API) and whether any network calls will be made; 2) Confirm the exact filesystem paths it will read/write and whether you are comfortable allowing writes to $HOME/.teamclaw-skills/ and your project directory; 3) If the skill needs an external image API or binary, require the author to declare that and any credential requirements; 4) Run first in an isolated/test environment (or sandbox) so it cannot unexpectedly modify other files; 5) If you accept it, review the created EXTEND.md and generated prompts to ensure no sensitive information is being recorded or transmitted.Like a lobster shell, security has layers — review code before you run it.
latestvk9740mg226rzkg4yqjdayd9x1n8252zc
License
MIT-0
Free to use, modify, and redistribute. No attribution required.