AI 衣橱搭配
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: aicloset-outfit Version: 0.9.1 The skill is a legitimate tool for generating AI outfit recommendations. It uses a Python script (scripts/generate_outfit.py) to communicate with a specific backend API (aicloset-dev-h5.wxbjq.top), downloads images, and uses ImageMagick to composite them into a single preview. The script handles API keys via standard environment variables or local configuration files and uses safe subprocess calls to execute system commands for image processing and display, with no evidence of malicious intent, data exfiltration, or unauthorized access.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill needs access to an API key for the AI Closet service, so that key will be used when requests are made.
The script uses the declared AICLOSET_API_KEY credential, optionally reading it from the local OpenClaw config, then sends it as the x-api-key header to the outfit API.
API_KEY = os.environ.get("AICLOSET_API_KEY", "") ... cfg_path = Path.home() / ".openclaw" / "openclaw.json" ... headers={"Content-Type": "application/json", "x-api-key": API_KEY}Use a dedicated API key for this service if possible, avoid sharing broad credentials, and remove or rotate the key if you stop using the skill.
Location-like and preference information may leave the local environment and be processed by the AI Closet API.
The script sends the user's date, city, province, and style preferences to an external provider endpoint as part of generating the outfit.
API_URL = "https://aicloset-dev-h5.wxbjq.top/algorithm/open/system_outfit/create_task" ... params = {"date": args.get("date", time.strftime("%Y-%m-%d")), "city_name": args.get("city", "杭州"), "province_name": args.get("province", "浙江"), "style_text": args.get("style", "休闲")}Only use the skill if you are comfortable sending these outfit parameters to the declared API endpoint.
Using the skill runs local commands and processes user-provided parameters instead of only returning a chat response.
The skill intentionally directs the agent to invoke a local script through Bash with parameters inferred from user input.
用 Bash 工具直接执行 `scripts/generate_outfit.py`,传入对应参数: ```bash python3 scripts/generate_outfit.py --date=2026-03-13 --city=杭州 --province=浙江 --style=休闲 ```
Keep invocations limited to the documented script and ensure any free-form parameter values are quoted or handled safely by the agent runtime.
The skill will only work if a trusted ImageMagick installation is available locally.
The skill relies on an external ImageMagick binary from the user's PATH; the dependency is disclosed, but it is not enforced by an install spec or required-binary metadata.
if not shutil.which("magick"):
print("❌ 未检测到 ImageMagick,请先安装:") ... subprocess.run(["magick"] + list(args), check=True, capture_output=True)Install ImageMagick from a trusted package source and be aware that the registry metadata may not pre-check this dependency.