ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

seedream(doubao)-image-generation

v1.0.6

Image generation via Volcengine Seedream API. Use this when you need to perform Text-to-Image (T2I), Image-to-Image (I2I), or general visual creative tasks.

1· 434·1 current·1 all-time
by@cp7553479
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The declared requirements (SEEDREAM_API_KEY and SEEDREAM_BASE_URL) and the included Python/JS wrappers align with the stated purpose of calling Volcengine Seedream for T2I/I2I. Minor incoherence: the registry metadata and SKILL.md list SEEDREAM_BASE_URL as a required env var, but both code files treat SEEDREAM_BASE_URL as optional (they default to the Volcengine endpoint). This mismatch should be corrected.
Instruction Scope
Runtime instructions and scripts explicitly read user-supplied local image file paths, convert them to base64, and transmit them to the Seedream API; they also optionally download generated images to a local directory. That behavior is expected for I2I workflows, but it means any local file path you provide will be uploaded — a privacy/exfiltration risk if you pass sensitive files. The SKILL.md and scripts only reference the two declared env vars and the specified API endpoint.
Install Mechanism
There is no install spec or remote download; the skill is instruction-plus-local-scripts only. The code uses standard stdlib network/file APIs. No third‑party install or remote archive is fetched during install.
Credentials
The skill requests only SEEDREAM_API_KEY (primary) and SEEDREAM_BASE_URL. That is proportionate for a client of the Seedream API. Small inconsistency: registry metadata claims SEEDREAM_BASE_URL is required while code treats it as optional and uses a sensible default endpoint. JS also allows an override param 'api_key' at runtime which is acceptable but should be documented clearly.
Persistence & Privilege
The skill does not request always:true and does not attempt to modify other skills or system-wide config. It does write files only when you explicitly pass a download_dir. Autonomous invocation is enabled by default but is not combined with other red flags here.
What to consider before installing
This skill appears to implement a legit wrapper for Volcengine Seedream, but review and precaution are recommended before use: 1) Correct the metadata mismatch — SEEDREAM_BASE_URL is optional in code but listed as required in metadata. 2) Inspect the scripts locally (they will read any local image path you pass and upload its base64 to the remote API). Do not pass sensitive file paths. 3) Note a likely bug/partial truncation in the Python entrypoint (an undefined/truncated variable near the end) — test the script in a safe environment first. 4) Use a dedicated API key with limited scope, avoid placing a broad-seoped SEEDREAM_API_KEY in a shared environment, and rotate the key if you suspect misuse. 5) If you need higher assurance, run the scripts in an isolated/sandbox environment and confirm the base URL is the official Volcengine endpoint before sending data.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d3kp6svwwbr0hj2h86tj0fh8329j1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvSEEDREAM_API_KEY, SEEDREAM_BASE_URL
Primary envSEEDREAM_API_KEY

Comments