ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Alicloud Ai Image Qwen Image Edit

v1.0.1

Edit images with Alibaba Cloud Model Studio Qwen Image Edit models (qwen-image-edit, qwen-image-edit-plus, qwen-image-edit-max and snapshots). Use when modif...

0· 1k·6 current·7 all-time
by@cinience
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name and description (Qwen Image Edit on Alibaba Cloud) match the included instructions and the helper script: they prepare a normalized image.edit request and validate responses. However, the metadata declares no required env vars or credentials while the SKILL.md explicitly requires DASHSCOPE_API_KEY or an Alibaba Cloud creds entry, which is inconsistent.
Instruction Scope
SKILL.md instructions stay within the skill's stated purpose: preparing requests, validating responses, running a small py_compile validation, guiding prompt/mask usage, and asking to perform a minimal read-only connectivity check. The helper script only reads/writes JSON request/response files and does not attempt to access unrelated system paths or exfiltrate data by itself.
Install Mechanism
There is no install spec; the SKILL.md recommends creating a Python venv and pip installing the 'dashscope' package. This is a typical approach for an SDK-based integration. The only risk is the external pip package — verify the package's provenance (dashscope) before installing.
!
Credentials
The runtime docs require DASHSCOPE_API_KEY or adding dashscope_api_key to ~/.alibabacloud/credentials (cloud credentials). The skill metadata, however, lists no required env vars or primary credential. That mismatch is concerning: the skill will need cloud credentials to operate, but the registry metadata does not declare them, which could lead to unexpected credential requests at runtime.
Persistence & Privilege
The skill is not always-enabled and does not request persistent privileges. It writes output under an output/ directory and suggests using object storage for assets. There is no evidence it modifies other skills or system-wide config.
What to consider before installing
This skill looks like a legitimate wrapper for Alibaba Cloud Qwen image-edit models, but before installing: (1) note that SKILL.md requires a DASHSCOPE_API_KEY or credentials in ~/.alibabacloud/credentials even though the registry metadata omitted any required env — ask the publisher to correct the metadata or document why creds are optional; (2) inspect the 'dashscope' pip package provenance (PyPI name, source repo) before installing and prefer creating a disposable venv; (3) provide least-privilege cloud credentials (a key scoped only to the necessary Model Studio operations) and avoid using broad account keys; (4) confirm where outputs are stored (default output/ path and any object storage) and whether those artifacts may contain sensitive data; and (5) if you need higher assurance, request the publisher to declare the required environment variables in the registry metadata and to provide a checksum/source for the dashscope package. Overall the skill is coherent with its purpose but the missing credential declaration is a notable inconsistency.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a6a09dxnjbf577pgecwxe2d82q414
1kdownloads
0stars
2versions
Updated 19h ago
v1.0.1
MIT-0
@cinience
latest
Download

Category: provider

Model Studio Qwen Image Edit

Validation

mkdir -p output/alicloud-ai-image-qwen-image-edit
python -m py_compile skills/ai/image/alicloud-ai-image-qwen-image-edit/scripts/prepare_edit_request.py && echo "py_compile_ok" > output/alicloud-ai-image-qwen-image-edit/validate.txt

Pass criteria: command exits 0 and output/alicloud-ai-image-qwen-image-edit/validate.txt is generated.

Output And Evidence

  • Save edit request payloads, result URLs, and model parameters under output/alicloud-ai-image-qwen-image-edit/.
  • Keep one sample request/response pair for reproducibility.

Use Qwen Image Edit models for instruction-based image editing instead of text-to-image generation.

Critical model names

Use one of these exact model strings:

  • qwen-image-edit
  • qwen-image-edit-plus
  • qwen-image-edit-max
  • qwen-image-2.0
  • qwen-image-2.0-pro
  • qwen-image-edit-plus-2025-12-15
  • qwen-image-edit-max-2026-01-16

Prerequisites

  • Install SDK in a virtual environment:
python3 -m venv .venv
. .venv/bin/activate
python -m pip install dashscope
  • Set DASHSCOPE_API_KEY in your environment, or add dashscope_api_key to ~/.alibabacloud/credentials.

Normalized interface (image.edit)

Request

  • prompt (string, required)
  • image (string | bytes, required) source image URL/path/bytes
  • mask (string | bytes, optional) inpaint region mask
  • size (string, optional) e.g. 1024*1024
  • seed (int, optional)

Response

  • image_url (string)
  • seed (int)
  • request_id (string)

Operational guidance

  • Keep prompts task-oriented: describe what to change and what to preserve.
  • Use masks for deterministic local edits.
  • Save output assets to object storage and persist only URLs.
  • For subject consistency, provide explicit constraints in prompt.

Local helper script

Prepare a normalized request JSON and validate response schema:

.venv/bin/python skills/ai/image/alicloud-ai-image-qwen-image-edit/scripts/prepare_edit_request.py \
  --prompt "Replace the sky with sunset, keep buildings unchanged" \
  --image "https://example.com/input.png"

Output location

  • Default output: output/alicloud-ai-image-qwen-image-edit/images/
  • Override base dir with OUTPUT_DIR.

Workflow

  1. Confirm user intent, region, identifiers, and whether the operation is read-only or mutating.
  2. Run one minimal read-only query first to verify connectivity and permissions.
  3. Execute the target operation with explicit parameters and bounded scope.
  4. Verify results and save output/evidence files.

References

  • references/sources.md

Comments

Loading comments...