ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

豆包AI图像生成

v1.0.0

Generate free AI images via Doubao web interface using automated browser interaction for detailed and styled visual content without API costs.

0· 93·0 current·0 all-time
by@fanxi-ju
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The stated purpose (browser-automated image generation on Doubao) matches the instructions, but the skill does not declare or document required automation tooling (e.g., Puppeteer/Selenium, headless browser) or credentials needed for delivery endpoints. Asking the agent to 'mimic human interaction to avoid bot detection' is disproportionate and suggests actions beyond straightforward automation.
!
Instruction Scope
SKILL.md instructs browser navigation, DOM element targeting, screenshot capture, local file writes to /workspace/ai_images/doubao/, and delivering images to external chat (Feishu) — but it does not declare how the agent will obtain Feishu credentials or the browser automation runtime. The explicit guidance to avoid bot detection is scope-creep and ethically questionable; it may imply bypassing site protections or terms of service.
Install Mechanism
There is no install spec (instruction-only), which reduces file-written-to-disk risk. However, the technical requirements (browser automation, element targeting, user-agent control) imply additional tooling that the skill does not declare or install, creating an operational gap the deployer must fill.
!
Credentials
The skill requests no environment variables or credentials in metadata but refers to delivering images to Feishu chat and using a user agent/cookies for automation. That delivery/integration normally requires API tokens or web session credentials — their absence in the declared requirements is an inconsistency and could lead to ad-hoc credential handling or insecure storage.
Persistence & Privilege
The skill is not marked always:true and does not request persistent system-wide privileges. It writes to a local workspace path per its instructions, which is expected for an image-generation task. The default ability for the agent to invoke the skill autonomously is enabled (disable-model-invocation: false), which is normal but worth noting.
What to consider before installing
This skill is inconsistent and raises red flags. Before installing, ask the publisher for: (1) a list of required automation tools (Puppeteer/Selenium, browser binary) and an install spec; (2) how Feishu (or other) delivery is authenticated and where tokens are stored; (3) confirmation they are not instructing the agent to bypass Doubao's terms or bot-detection defenses. Consider legal/ToS risk: automating to 'avoid bot detection' can violate the target site's terms and lead to account suspension or legal issues. If you still want to proceed, only run it in a controlled environment, provide minimal, well-scoped credentials (not long-lived account owner secrets), and prefer using official APIs or partnering with the service instead of automated UI scraping.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cgkgcsgpxaneejqbpdt1mvd83pkww

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments