ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Seedream Image

v1.0.0

Generate and edit AI images with Seedream (ByteDance) via AceDataCloud API. Use when creating images from text prompts, editing existing images with inpainti...

0· 69·0 current·0 all-time
by@germey
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The SKILL.md describes a Seedream (AceDataCloud) image-generation/editing client and the calls shown (curl to api.acedata.cloud) match that purpose. However, the registry metadata lists no required environment variables while the SKILL.md explicitly says the skill 'Requires ACEDATACLOUD_API_TOKEN' — metadata/manifest inconsistency.
Instruction Scope
Instructions are scoped to calling AceDataCloud endpoints and to providing an API token. They do not instruct the agent to read unrelated files, system credentials, or to exfiltrate local data. The only extra action is an optional pip install recommendation for 'mcp-seedream'.
Install Mechanism
This is an instruction-only skill (no install spec). It suggests 'pip install mcp-seedream' or using a hosted MCP URL; installing that package would install third-party code on the system — vet the package source before installing. No automatic downloads or extract steps are specified by the skill itself.
!
Credentials
The SKILL.md requires ACEDATACLOUD_API_TOKEN (expected for an API client) but the registry metadata lists no required env vars or primary credential. This mismatch is a red flag: the runtime needs a secret that the metadata does not declare. Ensure you only provide a token scoped to AceDataCloud and understand its permissions and data retention policy.
Persistence & Privilege
The skill does not request persistent 'always' inclusion, does not declare config paths, and does not attempt to modify other skills or agent-wide settings in the provided instructions.
What to consider before installing
Before installing or using this skill: 1) Note the SKILL.md requires ACEDATACLOUD_API_TOKEN but the package metadata does not declare it — treat that as an inconsistency and only provide a token you control and that is scoped/minimal. 2) The skill targets https://api.acedata.cloud and mentions an optional pip package (mcp-seedream). If you plan to 'pip install' that package, verify its origin (PyPI publisher, source repo, checksum) before installing. 3) The skill has no homepage and the owner ID is opaque; prefer skills with verifiable vendor information if you need to send sensitive images (PII). 4) Confirm AceDataCloud's billing, privacy, and data-retention policies — images you send may be stored or used according to their terms. 5) Ask the publisher to update registry metadata to list ACEDATACLOUD_API_TOKEN as a required credential and to provide a homepage/source repo; that fixes the main incoherence. If you need help vetting the 'mcp-seedream' package or the API domain, provide the package URL or token policy and I can help review further.

Like a lobster shell, security has layers — review code before you run it.

latestvk972jrqx0vehxkwncjvpkegbjh83ce34

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments