ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Alicloud Ai Image Zimage Turbo

v1.0.3

Generate images with Alibaba Cloud Model Studio Z-Image Turbo (z-image-turbo) via DashScope multimodal-generation API. Use when creating text-to-image output...

0· 1.2k·4 current·4 all-time
by@cinience
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name and description (Z-Image Turbo via DashScope) match the included script and docs: the skill builds a JSON payload, posts to DashScope endpoints, downloads the returned image, and saves outputs. However the registry metadata lists no required environment variables or primary credential while both SKILL.md and scripts require a DASHSCOPE_API_KEY (and support DASHSCOPE_BASE_URL). This mismatch is an incoherence that should be resolved.
!
Instruction Scope
SKILL.md and scripts instruct the agent to load environment variables from .env (current working dir and repo root detected via .git), and to read ~/.alibabacloud/credentials; these are used to populate DASHSCOPE_API_KEY. While that is functionally related to authenticating to DashScope, automatically loading arbitrary .env files and the user's ~/.alibabacloud/credentials increases the chance of pulling unrelated secrets. The skill also allows a request-provided or env-provided base_url override, which would cause the API key to be sent to a non-official endpoint if set — this is a potential exfiltration vector if misconfigured or if an attacker supplies a malicious base_url.
Install Mechanism
This is instruction-only with a single helper script; there is no install spec and nothing is downloaded from external URLs at install time. That keeps install risk low.
!
Credentials
The skill requires an API key (DASHSCOPE_API_KEY) to function, which is proportionate to its purpose, but the skill's registry metadata did not declare this required environment variable. The script additionally looks for DASHSCOPE_BASE_URL and will read credentials from ~/.alibabacloud/credentials and local .env files — behavior that is reasonable to locate a key but should have been declared. The fact that metadata omits required credentials and the skill will read multiple local config locations is an inconsistency and raises privacy/operational questions.
Persistence & Privilege
The skill is not always-enabled and does not request elevated privileges. It writes outputs into an output/ directory and only reads local credential/config files to obtain the API key. It does not modify other skills or system-wide agent configuration.
What to consider before installing
Before installing or running this skill: 1) Expect to provide a DASHSCOPE_API_KEY — the registry metadata omits this, so set the env var explicitly rather than relying on automatic .env or credentials lookups. 2) Inspect any local .env and ~/.alibabacloud/credentials files the script might read; only permit the skill to access keys you are comfortable exposing. 3) Be cautious with the base_url override — do not set base_url or DASHSCOPE_BASE_URL to an untrusted endpoint (that would send your API key elsewhere). 4) Because the skill's homepage and source are unknown, prefer running the included script in an isolated environment (or review the script locally) before giving it network access or secrets. 5) Ask the publisher to fix the metadata to declare required env vars and document why it reads .env and credentials files; the metadata mismatch is the primary practical inconsistency here.

Like a lobster shell, security has layers — review code before you run it.

latestvk975gjnv9s108ajmp8na6771hd82qpf8
1.2kdownloads
0stars
4versions
Updated 4h ago
v1.0.3
MIT-0
@cinience
latest
Download

Category: provider

Model Studio Z-Image Turbo

Use Z-Image Turbo for fast text-to-image generation via the DashScope multimodal-generation API.

Critical model name

Use ONLY this exact model string:

  • z-image-turbo

Prerequisites

  • Set DASHSCOPE_API_KEY in your environment, or add dashscope_api_key to ~/.alibabacloud/credentials (env takes precedence).
  • Choose region endpoint (Beijing or Singapore). If unsure, pick the most reasonable region or ask the user.

Normalized interface (image.generate)

Request

  • prompt (string, required)
  • size (string, optional) e.g. 1024*1024
  • seed (int, optional)
  • prompt_extend (bool, optional; default false)
  • base_url (string, optional) override API endpoint

Response

  • image_url (string)
  • width (int)
  • height (int)
  • prompt (string)
  • rewritten_prompt (string, optional)
  • reasoning (string, optional)
  • request_id (string)

Quick start (curl)

curl -sS 'https://dashscope.aliyuncs.com/api/v1/services/aigc/multimodal-generation/generation' \
  -H 'Content-Type: application/json' \
  -H "Authorization: Bearer $DASHSCOPE_API_KEY" \
  -d '{
    "model": "z-image-turbo",
    "input": {
      "messages": [
        {
          "role": "user",
          "content": [{"text": "A calm lake at dawn, a lone angler casting a line, cinematic lighting"}]
        }
      ]
    },
    "parameters": {
      "size": "1024*1024",
      "prompt_extend": false
    }
  }'

Local helper script

python skills/ai/image/alicloud-ai-image-zimage-turbo/scripts/generate_image.py \
  --request '{"prompt":"a fishing scene at dawn, cinematic, realistic","size":"1024*1024"}' \
  --output output/ai-image-zimage-turbo/images/fishing.png \
  --print-response

Size notes

  • Total pixels must be between 512*512 and 2048*2048.
  • Prefer common sizes like 1024*1024, 1280*720, 1536*864.

Cost note

  • prompt_extend=true is billed higher than false. Only enable when you need rewritten prompts.

Output location

  • Default output: output/ai-image-zimage-turbo/images/
  • Override base dir with OUTPUT_DIR.

Validation

mkdir -p output/alicloud-ai-image-zimage-turbo
for f in skills/ai/image/alicloud-ai-image-zimage-turbo/scripts/*.py; do
  python3 -m py_compile "$f"
done
echo "py_compile_ok" > output/alicloud-ai-image-zimage-turbo/validate.txt

Pass criteria: command exits 0 and output/alicloud-ai-image-zimage-turbo/validate.txt is generated.

Output And Evidence

  • Save artifacts, command outputs, and API response summaries under output/alicloud-ai-image-zimage-turbo/.
  • Include key parameters (region/resource id/time range) in evidence files for reproducibility.

Workflow

  1. Confirm user intent, region, identifiers, and whether the operation is read-only or mutating.
  2. Run one minimal read-only query first to verify connectivity and permissions.
  3. Execute the target operation with explicit parameters and bounded scope.
  4. Verify results and save output/evidence files.

References

  • references/api_reference.md for request/response schema and regional endpoints.
  • references/sources.md for official docs.

Comments

Loading comments...