ClawHub

Kimi K2.5 Vision

v1.0.0

使用 Kimi K2.5 识别图片,专为阿里百炼 GLM 用户设计。自动从 OpenClaw 配置读取 API Key。当模型返回"no media-understanding provider"或用户要求图片分析时触发。

0· 105·0 current·0 all-time
by@flowstart
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (Kimi K2.5 image recognition for Ali Bailian / DashScope) matches the code: the script encodes an image and posts it to a DashScope API using a 'DASHSCOPE_API_KEY'. The SKILL metadata declared no required env vars, which is acceptable because the key is optional and auto-detected. Minor inconsistency: SKILL.md says the script 'will cache' the key for next runs, but the script reads a cache file (~/.openclaw/.kimi_vision_key_cached) without ever writing to it.
Instruction Scope
SKILL.md and the script stay on-scope: they explain how to run the script, where the script searches for API keys (~/.openclaw/openclaw.json, env var, cache), and how to persist a key to ~/.openclaw/.env. Important runtime behavior: the script base64-encodes the entire image and sends it to the external DashScope API endpoint, which is expected for image recognition but means user images are transmitted off-machine.
Install Mechanism
Instruction-only skill with a single Python script and no install spec — nothing is downloaded or installed during skill setup.
Credentials
The only credential used is DASHSCOPE_API_KEY (located optionally in env or OpenClaw config); this is proportional to the stated purpose. Note: the skill will read ~/.openclaw/openclaw.json and optionally a cache file; users should ensure those files do not contain unrelated secrets they don't want read by the script. The script transmits image data to the listed external API (dashscope) — appropriate for functionality but privacy-relevant.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and does not perform any privileged system modifications. It suggests the user persist their API key to ~/.openclaw/.env (a user action).
Assessment
This skill appears to do what it says: it reads a DashScope API key (from env or ~/.openclaw/openclaw.json), encodes your image, and uploads it to the DashScope endpoint for analysis. Before installing/running: (1) confirm you trust the DashScope endpoint (https://coding.dashscope.aliyuncs.com) because your images will be sent there; (2) check ~/.openclaw/openclaw.json and any files under ~/.openclaw for sensitive data you don't want read; (3) be aware the SKILL.md mentions caching the key but the script reads a cache file without writing one — if you want persistent caching, you'll need to add the key to ~/.openclaw/.env yourself. If any of these behaviours are unacceptable, do not install or run the script.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c3mrtmnedg71vna99y0b03n83vb60

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments