qwenz-image-gen
v1.0.0Generate images using Alibaba Cloud Bailian Qwen-Image and Z-Image models (通义千图文生图 + 人像照片模型)
⭐ 3· 1.1k·4 current·4 all-time
by@irron
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's purpose (generate images via Alibaba Bailian Qwen-Image / Z-Image) matches the code and API endpoint used (dashscope.aliyuncs.com). However, the registry metadata in the package summary lists no required environment variables while SKILL.md and the script declare and require DASHSCOPE_API_KEY — an inconsistency that should be resolved.
Instruction Scope
Runtime instructions and the included script are focused on image generation and are proportionate: they build a JSON payload, POST to the Bailian endpoint, parse the response, and download the returned image. The script also attempts to discover the API key by reading TOOLS.md from several filesystem locations (current working dir, an absolute path /home/admin/clawd/TOOLS.md, and a path four levels up from the script). Reading those files is intended to obtain the declared key, but the locations accessed could expose or read files outside the skill's folder — worth noting before granting access.
Install Mechanism
This is an instruction-only skill with a single Python script and no install spec or external downloads. There is no package install or archive extraction — low install-surface risk.
Credentials
The only credential the skill needs is DASHSCOPE_API_KEY (used as a Bearer token to call the Bailian API), which is reasonable for this purpose. But the mismatch between the package-level 'required env vars: none' and SKILL.md's 'DASHSCOPE_API_KEY' is confusing. Also, the script's fallback to searching multiple TOOLS.md locations may read user files containing other secrets if present — it only extracts a matching DASHSCOPE_API_KEY line, but file reads are sensitive.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system config, and does not install persistent components. It only performs network calls at runtime and writes the downloaded image to a local path specified by the user (or a generated filename).
What to consider before installing
This skill appears to implement the described Alibaba Bailian image-generation flow and only needs a DASHSCOPE_API_KEY. Before installing: 1) verify the package metadata vs SKILL.md — ensure you supply DASHSCOPE_API_KEY if you intend to use it; 2) prefer setting the API key as an environment variable (export DASHSCOPE_API_KEY) rather than relying on TOOLS.md, since the script will try to read TOOLS.md from several filesystem locations (including unexpected paths) which could expose local files; 3) consider creating a dedicated API key with limited scope/quota for this skill; 4) be aware the script makes outbound HTTPS requests to dashscope.aliyuncs.com and will download the returned image from whatever host the API provides; 5) if you are uncomfortable with the script reading files outside the skill directory, inspect or run it in an isolated environment (container or VM) or modify the script to restrict TOOLS.md lookup to a single safe location. If these issues are acceptable, the skill is plausibly coherent with its stated purpose; otherwise proceed with caution.Like a lobster shell, security has layers — review code before you run it.
latestvk979zg5ns5hmwt3vsj9fppa7b980w2m3
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎨 Clawdis