Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
ArkRoute
v1.0.0Generate images and videos using the best visual AI models (Seedream, Nano Banana, Seedance). One API for Chinese and American AI models.
⭐ 0· 100·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (visual AI router) aligns with the provided curl and API examples to api.ark-route.com and the listed models; however the README-style instructions claim local MCP tooling (python3 /path/to/arkroute/mcp_server.py) and expose functions which would require code that is not bundled with the skill. Also model-provider mappings (e.g., 'nano-banana-2 — Google Gemini') may be marketing claims rather than verifiable technical requirements.
Instruction Scope
SKILL.md instructs the agent to start a local MCP server (mcp_server.py) and presents local Python integration snippets, but there are no code files or install steps included. It also demonstrates API calls that require an API key (Authorization: Bearer YOUR_API_KEY) even though no credential or env var is declared in the skill metadata. This mismatch gives the agent ambiguous guidance and could lead to failed or unsafe runtime behavior.
Install Mechanism
There is no install spec and no files beyond SKILL.md, so the skill does not write code to disk or pull external archives (low install mechanism risk). However the instructions assume a local mcp_server.py exists — the absence of that file means the SKILL.md is incomplete or expects out-of-band steps not documented here.
Credentials
The API examples require an API key but the skill declares no required environment variables or primary credential. A real integration would typically declare a primary API key env var (e.g., ARK_ROUTE_API_KEY). This omission is an incoherence between claimed operation and requested permissions.
Persistence & Privilege
The skill does not request always:true and has no install hooks, files, or persistent privileges. It does not ask to modify other skills or system settings in the provided instructions.
What to consider before installing
Before installing or enabling this skill:
- Understand it's instruction-only: there is no mcp_server.py or other code bundled — ask the publisher for the source or a clear install path if you need the local MCP integration.
- Expect to need an API key: the SKILL.md uses 'YOUR_API_KEY' in examples but the skill metadata does not declare any required env var. Verify how and where you'll securely store your ArkRoute API key (ask for a documented primaryEnv).
- Verify the endpoint and claims: confirm the authenticity of https://ark-route.com, check docs/source repo, and ensure model/provider claims (Google/ByteDance) are accurate and permitted.
- Privacy/billing: sending images/videos (possibly sensitive content) to a third-party API has privacy and billing implications—review their privacy policy, data retention, and cost model before sending sensitive data.
- If you need the MCP server capability, obtain and review the mcp_server.py source code before running it locally. Avoid running undocumented Python scripts from unknown sources.
- If the publisher provides a repository or release, prefer installing from a verifiable source (official GitHub release) and confirm TLS (HTTPS) endpoints and rate limits.
Providing the missing source code, an explicit install/integration guide, and a declared API key env var would increase confidence; without that, treat the skill as incomplete and verify externally before use.Like a lobster shell, security has layers — review code before you run it.
latestvk97axstkhj87mgk6zwk2639yax832y8w
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎨 Clawdis