ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Jimeng Image Skill Openclaw

Generate images from text prompts using the Jimeng API with customizable size, scale, seed, and output path via Python scripts.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 16 · 0 current installs · 0 all-time installs
by@gkhcsc
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated purpose is image generation via Jimeng, which matches the included Python script that uses volcengine.VisualService. However the package/registry metadata lists no required environment variables or primary credential while the SKILL.md and script require Jimeng_Access_Key and Jimeng_Secret_Key — this mismatch is incoherent and should have been declared in metadata.
!
Instruction Scope
SKILL.md instructs the agent to read environment variables or ~/.openclaw/.env and to run scripts/main.py and then send resulting images via the same channel. The actual script only reads environment variables (it does not parse ~/.openclaw/.env), writes PNG files to the configured output path, and makes network calls to the VisualService. The instructions are imprecise and include guidance (reading an .env file and 'send the image via same channel') that is outside the script's direct behavior and could encourage the agent to access ambient config or messaging connectors.
Install Mechanism
This is instruction-only with a single Python script; there is no automated install spec. The SKILL.md lists volcengine-python-sdk as a dependency to pip-install — that's a normal third-party dependency but it is networked code you should trust and possibly audit before installing.
!
Credentials
The skill requires two secret environment variables (Jimeng_Access_Key and Jimeng_Secret_Key) according to SKILL.md and the script, but the registry metadata does not declare any required env vars or a primary credential. Requesting those secrets is proportionate to the stated purpose, but omitting them from metadata is a transparency problem and increases risk because users may not realize what credentials will be used.
Persistence & Privilege
The skill does not request always:true, does not attempt to modify other skills or global agent settings, and only writes generated images into the user's workspace. It creates directories and files but does not request elevated privileges or persistent platform-level presence.
Scan Findings in Context
[unicode-control-chars] unexpected: The SKILL.md contained unicode control characters flagged by the pre-scan. This is not expected for a simple instructions file and can be used to obfuscate or influence interpreters/scanners; review the raw file and remove or normalize suspicious characters before trusting the skill.
What to consider before installing
What to check before installing or running this skill: - Credentials: The SKILL.md and script require environment variables Jimeng_Access_Key and Jimeng_Secret_Key, but the skill metadata does not declare them. Do not provide secrets until you are comfortable with where they will be sent. Prefer creating a scoped API key with minimal permissions. - Review network dependency: The script uses volcengine-python-sdk (a third-party package). Inspect that package's source or install it in an isolated environment if you plan to run the skill. - Inspect the script: The script writes PNG files to the configured output_path. Note it uses '~' in the default path but does not call os.path.expanduser, so it may create a directory literally named '~' rather than your home path — test in a safe directory first. - Prompt-injection artifact: The SKILL.md contains unicode control characters flagged by a scanner; this could be benign (bad encoding) or an attempt to evade detection. Open the file in a hex/clean-text viewer and remove unexpected control characters. - Run in isolation: Because the skill will call an external image-generation API with your keys, run it first on a throwaway account or in an isolated container/VM to verify behavior and network endpoints. - Metadata fix: Prefer installing only after the skill owner updates the registry metadata to declare the required environment variables and primary credential so you can audit permissions more easily. If you want, I can: (1) show exact lines in SKILL.md that contain control characters, (2) suggest a minimal patched version of the script (expanduser, create intermediate dirs), or (3) provide commands to run the script safely in a container.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.1.0
Download zip
latestvk9727j6vchy8cq0e8pemcwej81831ae4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Jimeng-Image

When to use this skill

Use this skill when user express "You need generate a image".

How to use this skill

  1. You need putAccess Key and Secret Key via either environment variable: Jimeng_Secret_Key and Jimeng_Access_Key=..., or~/.openclaw/.env line: Jimeng_Secret_Key=... and Jimeng_Access_Key=... on your environment variable.

  2. You need to execute scripts/main.py

  3. When the response is arrive, the script will save the png file on ~/.openclaw/workspace/images. (The script will create images dir if the images dir is not exist)

  4. Finally, you need send the new image to user by same channel,such as qqbot etc. from ~/.openclaw/workspace/images

Requirement

  • argparse
  • datetime
  • volcengine-python-sdk
  • base64
  • os

If not exits ,you need pip it.

Tips:

  • the baseDir is your workspace /skills/Jimeng-Image
  • If the user does not specify the output path,the output dir is ~/.openclaw/workspace/images

Command example

user:

​ i need a image by prompt:"A girl in an anime style"

You:

​ Run from the OpenClaw workspace:

 python3 {baseDir}/scripts/main.py --prompt "A girl in an anime style"

user:

​ i need a image by prompt:"A girl in an anime style and width is 512 and height is 512"

You:

​ Run from the OpenClaw workspace:

python3 {baseDir}/scripts/main.py --prompt "A girl in an anime style" --width "512" --height "512"

The Script command line parameter

参数类型默认值说明
--promptstr'none'Path of the prompt file
--output_pathstr'~/.openclaw/workspace/images'The saving path of the output file
--use_pre_llmboolFalseWhether to use a pre-trained language model
--seedint-1Random seed ( -1 indicates random )
--scalefloat1.0The scaling ratio of the output image
--widthint1920The width (in pixels) of the output image
--heightint1080The height (in pixels) of the output image

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…