ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Seedream 5 via BytePlus

v0.1.0

Generate images with Seedream 5 through the BytePlus Ark API using a direct API key. Use when the user wants Seedream 5 image generation, mentions BytePlus A...

0· 50·0 current·0 all-time
byGamal Eldien Tarek Abdelsataar@gamaleldientarek
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The declared registry metadata lists no required environment variables or primary credential, but both the SKILL.md and the included script require SEEDREAM_API_KEY. Requiring an API key is expected for this purpose, but failing to declare it in metadata is an incoherence.
!
Instruction Scope
The instructions and script stay within the stated purpose (POST to BytePlus Ark and download the returned image). However the script sources /root/.clawdbot/.env if present, which may cause the skill to load unrelated secrets from a global agent file rather than a skill-scoped credential — this broad file access is out of scope for simple image generation.
Install Mechanism
No install spec; skill is instruction-only with a small bundled shell script. Nothing is downloaded or executed from external URLs during install.
!
Credentials
Requesting an API key (SEEDREAM_API_KEY) is proportionate, but the package fails to declare it in metadata. Additionally, sourcing /root/.clawdbot/.env can expose other environment secrets stored there — the script assumes a global agent .env location rather than using a clearly-named skill-scoped variable or config file.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system-wide settings, and only writes output into /root/clawd/output. Autonomous invocation is allowed (platform default) but not combined with other broad privileges here.
What to consider before installing
This skill appears to perform the advertised task, but the package is inconsistent and could leak unrelated secrets. Before installing or using it: (1) Confirm and set SEEDREAM_API_KEY explicitly (the registry metadata did not declare it). (2) Avoid putting unrelated secrets in /root/.clawdbot/.env; instead store the key in a skill-specific env file or pass it at runtime. (3) Review the included script (scripts/seedream-generate.sh) yourself — it POSTs to BytePlus Ark and then downloads the returned image URL, printing raw API responses on failure. (4) Run the skill in a restricted environment or container if you are concerned about .env exposure. If the maintainer can update the registry metadata to declare SEEDREAM_API_KEY and remove or namespace the global .env sourcing, the package would be more trustworthy.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cqcb9azjg75scsehtws1hv584dvwk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments