Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Qwen Logo Designer
v1.0.4商业LOGO设计技能。通过用户描述生成专业商业LOGO图片。使用阿里云百炼千问图像模型(qwen-image-2.0-pro)进行文生图。当用户需要:(1) 设计公司/品牌LOGO (2) 生成商业标识图标 (3) 创建品牌视觉符号 (4) 根据描述生成logo图片时使用此技能。支持自定义尺寸、风格、负面提示词等...
⭐ 0· 87·0 current·0 all-time
byMarvin@imnull
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description align with the included script: it calls an image model API to generate logos. However the skill metadata claims 'no required env vars' while both SKILL.md and scripts/generate_logo.py require a DASHSCOPE_API_KEY and optionally LOGO_OUTPUT_DIR/WORKSPACE — this metadata omission is an incoherence.
Instruction Scope
SKILL.md instructs the agent to call scripts/generate_logo.py which makes network calls to the Aliyun DashScope API and downloads resulting image URLs, saves files to disk, and sets filesystem permissions. Those actions are within the goal of saving generated images, but the instructions reference environment variables and file operations not declared in the skill metadata and they modify file permissions (chmod 644/755) — worth reviewing before use.
Install Mechanism
This is an instruction-only skill with a bundled script and no install spec or external downloads. No package installs or remote installers are used.
Credentials
The runtime requires an API key (DASHSCOPE_API_KEY) to call the external image API and also reads LOGO_OUTPUT_DIR / WORKSPACE for output paths; none of these were declared in the skill's metadata. Requesting a single API key is proportionate to the stated purpose, but the metadata mismatch and the script's ability to write arbitrary output files (including via the --output option) and change directory permissions increases risk and should be documented and approved.
Persistence & Privilege
always:false and no apparent self-enabling behavior. The skill writes image files to a user-controlled directory but does not request permanent agent-wide privileges or modify other skills' config.
What to consider before installing
This skill appears to do what it says (generate logos), but the package metadata incorrectly lists no required env vars while the script and SKILL.md require DASHSCOPE_API_KEY and optionally LOGO_OUTPUT_DIR/WORKSPACE. Before installing: (1) confirm the DASHSCOPE_API_KEY is from a trusted provider and avoid using high-privilege keys; (2) review and, if needed, change the output directory to an isolated folder you control; (3) be aware the script can overwrite paths provided via --output and will set directory/file permissions (chmod 755/644) — avoid pointing it at sensitive system paths; (4) inspect the full script locally (it uses curl) and consider running it in a sandbox or container if you want to limit network/file-system exposure. If the skill registry should declare required env vars, ask the publisher to update metadata to include DASHSCOPE_API_KEY and the output-related env vars.Like a lobster shell, security has layers — review code before you run it.
designvk978hv0vr0wc2v77g3aej5xkn183vfs8image-generationvk978hv0vr0wc2v77g3aej5xkn183vfs8latestvk978hv0vr0wc2v77g3aej5xkn183vfs8logovk978hv0vr0wc2v77g3aej5xkn183vfs8qwenvk978hv0vr0wc2v77g3aej5xkn183vfs8
License
MIT-0
Free to use, modify, and redistribute. No attribution required.