Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Baoyu Imagine

v1.0.1

AI image generation with OpenAI, Azure OpenAI, Google, OpenRouter, DashScope, MiniMax, Jimeng, Seedream and Replicate APIs. Supports text-to-image, reference...

⭐ 0· 475·8 current·8 all-time

byJim Liu 宝玉@jimliu

MIT-0

Download zip

LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Benign

high confidence

✓

Purpose & Capability

Name and description match the implementation: scripts and provider modules implement OpenAI, Azure, Google, OpenRouter, DashScope, MiniMax, Jimeng, Seedream and Replicate integrations. The many provider-related env vars and provider selection logic are expected for a multi-provider image generator.

ℹ

Instruction Scope

Runtime instructions require creating/reading EXTEND.md under .baoyu-skills (project or user), loading .env files from project/home, reading reference image files provided by the user, and calling provider APIs (network). These actions are expected for the stated functionality but mean the skill will read/write files in the user's project/home directory and upload user-supplied reference images to external APIs.

ℹ

Install Mechanism

There is no install spec (instruction-only). Runtime uses bun if installed or falls back to running 'npx -y bun' to execute TypeScript. Using npx to pull/run a tool dynamically has a moderate risk because it fetches remote code at runtime; preferring a locally installed bun (or reviewing package provenance before running) reduces risk.

✓

Credentials

The skill references many provider API keys and related env vars (OPENAI_API_KEY, GOOGLE_API_KEY, AZURE_OPENAI_API_KEY, REPLICATE_API_TOKEN, DASHSCOPE_API_KEY, etc.). That is proportional to a multi-provider image generation tool. The skill also documents loading .env files and supports provider-specific override envs; those behaviours are expected but mean API keys present in environment or .env files will be used.

ℹ

Persistence & Privilege

The skill writes persistent configuration (EXTEND.md) into .baoyu-skills in project or the user's home directory and may rename legacy config files. It does not request system-wide privileges or modify other skills' configurations. Persistent file writes are expected for preference storage but the user should be aware of those writes.

Assessment

This skill appears to be what it claims: a multi-provider image generation CLI/agent. Before installing or running it, consider: 1) The runtime may call external provider APIs and will upload any reference images you pass — do not supply sensitive images. 2) The SKILL will create and update EXTEND.md under .baoyu-skills in your project or home directory and may load .env files from those locations; review those files and the created EXTEND.md if you care about persisted settings. 3) If bun is not installed, the instruction suggests using 'npx -y bun' which downloads and runs code from npm at runtime — for lower risk, install bun locally or inspect the package before allowing dynamic npx executions. 4) Only provide API keys for providers you trust and need; avoid putting unrelated credentials into your environment or the skill's .env files. If you want additional assurance, review the included scripts (they are present in the package) or run the skill in a restricted environment (container or VM) before granting access to your main account/keys.

✗

scripts/providers/google.ts:97

Shell command execution detected (child_process).

✗

scripts/providers/azure.test.ts:21