Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
infograhic
v0.11.0使用 Zoe 模型生成新图片或编辑已有图片,适用于信息图、海报、插图等视觉内容。Use when the user explicitly asks to create a new image, infographic, poster, or illustration, or asks to edit an exi...
⭐ 0· 53·0 current·0 all-time
byPengGao@gaclove
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The declared purpose (text-to-image / image-edit) aligns with the included scripts: they call a Zoe REST API to generate or edit images. However the registry metadata (Requirements) lists no required environment variables or primary credential, while the code and SKILL.md expect an API key (ZOE_INFOG_API_KEY) and runtime Python dependencies (python, httpx). That undeclared credential is inconsistent with the skill manifest and should have been declared.
Instruction Scope
SKILL.md tightly controls execution to a Worker Agent and instructs launching the included Python scripts. The scripts resolve source images (local paths, URLs, or cached keys), will upload local files to the external API, and write outputs under /tmp/openclaw. Uploading arbitrary local paths to a remote service is expected for an image-edit skill but is also a potential data-exfiltration vector; the instructions do not add unexpected behaviors beyond that, but they do require the agent to access local files and environment variables.
Install Mechanism
No install spec is present (instruction-only), which minimizes install-time risk. The repo includes Python scripts that require python and the httpx library; SKILL.md metadata lists those, but the higher-level registry entry did not. Because code runs at runtime, ensure the execution environment has the declared Python dependencies and that executing included scripts is acceptable.
Credentials
The runtime files require an API key via environment variable ZOE_INFOG_API_KEY (and accept --api-key) and optionally API_BASE_URL. The registry/manifest did not declare any required env vars or primary credential — this omission is a mismatch. Also, the scripts will read local files (when given local paths) and upload them to the external Zoe endpoint, so granting access to local files and the API key is necessary but sensitive and should be explicit to users.
Persistence & Privilege
The skill does not request always:true, does not declare system-wide changes, and writes only to its own output directory (/tmp/openclaw). It does execute code at runtime but does not persistently modify other skills or global agent configuration.
What to consider before installing
Before installing: be aware this skill will call an external Zoe REST API (default base URL: https://zoe-api.sensetime.com/zoe-model) and requires an API key passed via ZOE_INFOG_API_KEY or --api-key — but the registry entry does not declare that credential or the Python/httpx dependency. If you install, only provide the API key you intend for this service (do not reuse other sensitive keys), and avoid running the skill on machines containing sensitive local files you would not want uploaded, since image-edit tasks will upload local image paths to the remote service. Ask the publisher to correct the manifest (declare ZOE_INFOG_API_KEY as a required credential and list python + httpx), verify the endpoint is trusted, and confirm privacy/retention policies for uploaded images before granting the key. If you need higher assurance, request an updated skill manifest that explicitly lists required env vars and dependencies and a description of exactly what is uploaded and stored by the backend.Like a lobster shell, security has layers — review code before you run it.
latestvk97apk7cj12y1c6ewxdkwjwhmn84b50g
License
MIT-0
Free to use, modify, and redistribute. No attribution required.