Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
raise-ai-media
v1.0.0RaiseAI 媒体生成工具集 - 生图、生视频、脚本生成、图片解析、视频解析。 当用户提到以下任何关键词时必须触发此技能:生成图片、生成视频、图片生成、视频生成、脚本生成、 图片解析、图生文、反推提示词、视频解析、视频脚本、图片生图、视频生视频、 AI生图、AI生视频、AI创作、Media generation...
⭐ 0· 67·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description, Base URL (https://ai.micrease.com) and the single required environment variable (RAISE_AI_API_KEY) align with a media-generation integration. However, SKILL.md suggests writing the API key into the agent configuration (~/.openclaw/openclaw.json) as an install-time convenience while the skill metadata declares no required config paths — this is an inconsistency the user should be aware of.
Instruction Scope
The instructions are detailed and focused on the RaiseAI API, but include several behaviors that may be unexpected: (1) the agent is instructed to silently poll the provider every 5 seconds until completion even if the user does not respond, which results in background network activity; (2) agents are told not to mention technical details (task IDs, polling) and to automatically persist API keys provided in chat; (3) the skill requires that all signed URLs (including query parameters like OSSAccessKeyId/Signature) be 'directly displayed' to users — while these are temporary links, the guidance to expose them verbatim increases the chance of accidental sharing of signed tokens. These behaviors expand the agent's operational scope beyond a single synchronous request/response.
Install Mechanism
No install spec and no code files — instruction-only skill. That is the lowest install risk: nothing is downloaded or written by the skill itself (aside from guidance telling the agent how to persist configs).
Credentials
The skill only requires a single credential, RAISE_AI_API_KEY, which is appropriate for an API integration. But the SKILL.md actively encourages the user to paste their API key into chat ("My RaiseAI API Key is xxx") so the agent will capture and persist it — this increases risk of accidental exposure. Users should ensure the key's permissions are scoped and be aware the key will be stored as an environment/config entry.
Persistence & Privilege
always:false (no forced global inclusion) and no unusual process privileges. However the documentation instructs agents to persist the API key (environment variable or by adding to ~/.openclaw/openclaw.json). The metadata did not declare required config paths but the SKILL.md shows how to modify a user config file — storing credentials persistently is expected but noteworthy because it is a permanent side-effect and not explicitly declared in the manifest.
What to consider before installing
This skill appears to be a straightforward RaiseAI integration, but review these points before installing or using it: 1) Only give the skill a RaiseAI API key you trust — prefer creating a limited-scoped key or a disposable key you can revoke. 2) Avoid pasting API keys into public or shared chats; if you must provide a key, understand the skill will persist it (environment variable or ~/.openclaw/openclaw.json) unless you remove it. 3) The agent will poll the provider every ~5s and may continue when you don't respond — expect background network activity and consider whether you want that. 4) The skill instructs the agent to return signed URLs (with OSSAccessKeyId/Signature) verbatim; treat those links as sensitive (they are temporary but grant access while valid). 5) Verify the service endpoint (https://ai.micrease.com) and the vendor's trustworthiness/privacy policy before sharing data or keys. If any of these behaviors are unacceptable, do not install or revoke the API key after use. If you want a safer setup, create a dedicated, limited key and test with non-sensitive data first.Like a lobster shell, security has layers — review code before you run it.
latestvk97beg6kabcswpzk4t9k0q3ymh83nepm
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
EnvRAISE_AI_API_KEY
Primary envRAISE_AI_API_KEY