qwenz-image-gen
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: qwen-image-skill Version: 1.0.0 The skill is designed to generate images using Alibaba Cloud's Qwen-Image and Z-Image models. The `SKILL.md` provides clear instructions and usage examples without any prompt injection attempts. The `scripts/generate.py` script retrieves the `DASHSCOPE_API_KEY` from environment variables or the `TOOLS.md` file (a documented configuration source for OpenClaw skills), makes HTTPS requests to the legitimate Alibaba Cloud API endpoint `dashscope.aliyuncs.com`, and saves the generated image locally. All observed behaviors are aligned with the stated purpose, and there is no evidence of data exfiltration to unauthorized endpoints, malicious execution, persistence mechanisms, or obfuscation.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Image generation runs under the user's Alibaba Cloud/DashScope account and may consume quota or incur account charges.
The script obtains a DashScope API key from the environment or TOOLS.md and uses it as the bearer credential for Alibaba's API.
key = os.environ.get("DASHSCOPE_API_KEY") ... match = re.search(r'DASHSCOPE_API_KEY:\\s*(\\S+)', content) ... "Authorization": f"Bearer {api_key}"Use a dedicated, revocable DashScope key with only the needed access, and avoid placing it in shared files unless that is intentional.
Prompt text leaves the local environment and is processed by Alibaba's service.
The user's prompt is sent to the external Alibaba DashScope provider, which is expected for this image-generation service.
"text": prompt ... conn = http.client.HTTPSConnection("dashscope.aliyuncs.com", timeout=120)Do not include secrets or sensitive private information in image prompts unless you are comfortable sending them to the provider.
A poorly chosen output path could replace an existing local file with the generated image data.
The script saves the downloaded image to a caller-selected output path, which is normal for this skill but can overwrite files if pointed at an existing path.
parser.add_argument("--output", "-o", help="输出文件路径") ... with open(output, "wb") as f: f.write(img_resp.read())Save outputs to a dedicated images directory and confirm the path before using --output for important locations.
Users relying only on registry metadata may not realize the skill needs a DashScope API key before use.
The registry metadata under-declares the credential requirement that is visible in SKILL.md and required by the script.
Required env vars: none ... Env var declarations: none ... Primary credential: none
Update the registry metadata to declare DASHSCOPE_API_KEY as the required credential.