AI 衣橱搭配
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill needs access to an API key for the AI Closet service, so that key will be used when requests are made.
The script uses the declared AICLOSET_API_KEY credential, optionally reading it from the local OpenClaw config, then sends it as the x-api-key header to the outfit API.
API_KEY = os.environ.get("AICLOSET_API_KEY", "") ... cfg_path = Path.home() / ".openclaw" / "openclaw.json" ... headers={"Content-Type": "application/json", "x-api-key": API_KEY}Use a dedicated API key for this service if possible, avoid sharing broad credentials, and remove or rotate the key if you stop using the skill.
Location-like and preference information may leave the local environment and be processed by the AI Closet API.
The script sends the user's date, city, province, and style preferences to an external provider endpoint as part of generating the outfit.
API_URL = "https://aicloset-dev-h5.wxbjq.top/algorithm/open/system_outfit/create_task" ... params = {"date": args.get("date", time.strftime("%Y-%m-%d")), "city_name": args.get("city", "杭州"), "province_name": args.get("province", "浙江"), "style_text": args.get("style", "休闲")}Only use the skill if you are comfortable sending these outfit parameters to the declared API endpoint.
Using the skill runs local commands and processes user-provided parameters instead of only returning a chat response.
The skill intentionally directs the agent to invoke a local script through Bash with parameters inferred from user input.
用 Bash 工具直接执行 `scripts/generate_outfit.py`,传入对应参数: ```bash python3 scripts/generate_outfit.py --date=2026-03-13 --city=杭州 --province=浙江 --style=休闲 ```
Keep invocations limited to the documented script and ensure any free-form parameter values are quoted or handled safely by the agent runtime.
The skill will only work if a trusted ImageMagick installation is available locally.
The skill relies on an external ImageMagick binary from the user's PATH; the dependency is disclosed, but it is not enforced by an install spec or required-binary metadata.
if not shutil.which("magick"):
print("❌ 未检测到 ImageMagick,请先安装:") ... subprocess.run(["magick"] + list(args), check=True, capture_output=True)Install ImageMagick from a trusted package source and be aware that the registry metadata may not pre-check this dependency.