ClawHub

Designkit Ecommerce Studio

v1.0.2

Use when users need ecommerce image help such as background removal, transparent or white background output, blurry photo restoration, or listing image gener...

1· 112·0 current·0 all-time
by@designkit
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the implemented capabilities: background removal, image restoration, and listing-image workflows. The single required credential DESIGNKIT_OPENCLAW_AK is exactly what's used as an X-Openclaw-AK header in the HTTP clients.
Instruction Scope
Runtime instructions direct the agent to run the bundled scripts (run_command.sh / run_ecommerce_kit.sh) which will call the Designkit/OpenClaw APIs and will upload local images only when the user explicitly provides a local path. The SKILL.md explicitly forbids browsing unrelated local files. Note: the code will perform network calls and upload user-supplied local images to the provider — this is expected but important to surface to non-technical users.
Install Mechanism
No install spec; code is bundled with the skill and execution is via included scripts. There is no external arbitrary download during install.
Credentials
Only one required secret (DESIGNKIT_OPENCLAW_AK) is declared and used as the API key. The code also reads several optional environment variables (DESIGNKIT_WEBAPI_BASE, OPENCLAW_API_BASE, OPENCLAW_REQUEST_LOG, DESIGNKIT_OPENCLAW_AK_URL, etc.) that are not required by the manifest — this is reasonable for configuration but worth noting. The skill does not request unrelated credentials.
Persistence & Privilege
always is false and the skill does not request persistent elevated privileges or modify other skills. It requires network, shell, and filesystem permissions which align with its stated operation (uploading user-provided files and calling APIs).
Assessment
This skill appears to do what it says: it will call Designkit/OpenClaw APIs and will upload any local image files you explicitly provide. Before enabling or providing your API key: 1) Confirm you trust the provider at the listed domains (designkit.com and openclaw-designkit-api.meitu.com). 2) Understand that local images will be transmitted to that service — do not upload sensitive/private images. 3) Keep OPENCLAW_REQUEST_LOG disabled (default) so request bodies are not printed to logs. 4) Provide only the DESIGNKIT_OPENCLAW_AK key and rotate it if you later revoke access. 5) If you want extra assurance, review the bundled scripts (run_command.sh, ecommerce_product_kit.py, openclaw_atomic_runner.py, openclaw_safety.py) to verify there are no unexpected network endpoints or data exfiltration behaviors beyond the documented API calls.

Like a lobster shell, security has layers — review code before you run it.

latestvk9764dvf7df2q4hx5k4sbj1xe18404qf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsbash, python3
EnvDESIGNKIT_OPENCLAW_AK
Primary envDESIGNKIT_OPENCLAW_AK

Comments