ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Flux Image

v1.0.0

Generate and edit images with Flux (Black Forest Labs) via AceDataCloud API. Use when creating images from text prompts, editing existing images with text in...

0· 61·0 current·0 all-time
by@germey
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md describes generating and editing images via AceDataCloud's Flux API — that purpose aligns with the endpoints and parameters shown. However, the registry metadata lists no required environment variables while the SKILL.md explicitly requires ACEDATACLOUD_API_TOKEN, an inconsistency that should be resolved.
Instruction Scope
Runtime instructions are narrowly focused: curl POSTs to api.acedata.cloud, JSON request bodies for generation/editing, and optional polling of /flux/tasks. The doc does not instruct reading unrelated files or other secrets.
Install Mechanism
This is an instruction-only skill (no install spec). The README suggests optionally installing a third-party pip package (mcp-flux), which is expected for tool integration but should be verified before running.
!
Credentials
The SKILL.md requires ACEDATACLOUD_API_TOKEN (appropriate for an API client), but the registry metadata declares no required env vars or primary credential — a mismatch. Confirming where the token comes from and its intended scope is important.
Persistence & Privilege
No persistent installation or elevated privileges are requested (always:false, user-invocable:true, no config paths). Agent autonomous invocation is allowed by default but not a special privilege here.
What to consider before installing
This skill appears to do what it says (call AceDataCloud Flux to generate/edit images), but the SKILL.md requires an ACEDATACLOUD_API_TOKEN while the registry metadata omitted it — ask the publisher to confirm the credential requirement and token scope. Before installing or running: (1) verify the API host (https://api.acedata.cloud) is legitimate and that you trust the service; (2) create a limited-scope API token (not a broad account key) if possible; (3) be cautious about letting the agent autonomously call the API using that token; (4) if you plan to pip install mcp-flux, inspect that package (source, maintainers, versions) before installing. If the publisher cannot explain the metadata mismatch or the token's intended permissions, treat the skill with caution or avoid installing it.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d47a2n811fjn8e08pa3w94x83cy83

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments