ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

mdclaw多模态图片视频生成

v2.0.1

MDClaw OpenClaw API 技能,支持文字转语音(TTS)、文生图(Text to Image)、文生视频(Text to Video)、图生视频(Image to Video)等多模态 AI 能力。通过网关服务统一调用,支持账号注册、图片上传、任务轮询等完整功能。

1· 56·0 current·0 all-time
by@cnskycn
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, SKILL.md, README, and mdclaw_client.py are consistent: a client for a remote MDClaw gateway providing TTS, text->image, text->video, image->video, upload, search, etc. However the published registry metadata (in the evaluation header) stated 'Required env vars: none' and 'Primary credential: none' while the code and clawhub.toml explicitly require MDCLAW_API_KEY. This mismatch is an incoherence in metadata vs. actual capability requirements.
!
Instruction Scope
SKILL.md and the client instruct the agent to call a single external gateway (https://backend.appmiaoda.com/.../openclaw-skill-gateway). The client will also read local image files (upload_image) and POST file contents to an upload endpoint derived from the gateway. That behavior is expected for an image-uploading/video-generation client, but it means local files and any prompts are transmitted to an external third party. The SKILL.md does not warn about uploading sensitive files or who controls the gateway; the owner/source/homepage are unknown.
Install Mechanism
No install spec; included files are Python source and examples. Dependency is only requests (requirements.txt). Nothing is downloaded from arbitrary URLs during install. This is low install risk.
!
Credentials
The code and clawhub.toml require an MDCLAW_API_KEY (passed via X-API-Key) which is proportional to the stated purpose. However the registry metadata provided at the top of this evaluation incorrectly lists no required env vars/primary credential — an inconsistency that could mislead users or automated installers into not providing/validating credentials. Requesting an API key is expected; requesting additional unrelated secrets would be concerning (not present here).
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and has no install-time persistence mechanism beyond the code files themselves. Normal autonomous invocation is allowed (default) but not combined with any other elevated privilege.
What to consider before installing
Key points to consider before installing: - The client will send your prompts, API key, and any uploaded files to the external gateway at backend.appmiaoda.com. Do not upload sensitive images or data unless you trust that endpoint and its operator. - The code and clawhub.toml require MDCLAW_API_KEY, but the registry header metadata omitted that—this mismatch is a red flag. Verify credentials handling and update metadata before trusting automated installs. - The package has no listed homepage or identifiable owner; if you need this skill, ask the publisher for provenance (who runs the gateway, privacy/data-retention policies, and SLA). - If you want to test it, run in an isolated environment or sandbox with a throwaway API key and avoid uploading private files. Monitor egress traffic to confirm only expected endpoints are contacted. - If you cannot confirm the gateway operator or metadata, prefer alternative well-known providers or self-hosted solutions. If you proceed, grant the minimum necessary permissions to the API key and rotate it after testing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cjkfc41y1fhvp9r9f7qmv0s83pdx5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments