Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Image Generator
v1.0.0AI image generation skill using DALL-E, Stable Diffusion, or Midjourney API. Generate, edit, and vary images from text prompts.
⭐ 0· 68·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill claims to generate and edit images via DALL·E, Stable Diffusion, or Midjourney, which would reasonably require API credentials and client code. However, the registry metadata lists no required env vars or credentials and there are no code files bundled — the SKILL.md refers to a local script (scripts/generate_image.py) that does not exist in the package. This mismatch means the skill as published cannot perform the claimed capability without external artifacts.
Instruction Scope
SKILL.md instructs the agent/operator to export API keys (OPENAI_API_KEY, STABILITY_API_KEY, REPLICATE_API_TOKEN) and to run python3 scripts/generate_image.py with local file paths. Those instructions reference files and environment variables not declared in the registry and not present in the package. The doc also names Midjourney in the description but provides no configuration guidance for it (Midjourney typically uses Discord), another inconsistency.
Install Mechanism
There is no install spec and no code is written to disk by the skill itself (instruction-only). This is low install-surface risk, but since the skill points to external scripts that are missing, it appears incomplete rather than actively installing anything.
Credentials
The SKILL.md asks users to set multiple API keys for image providers, which would be normal for an image-generation tool. But the package metadata declares no required environment variables or primary credential — the omission is a mismatch. Requiring multiple provider keys is proportionate to supporting multiple backends, yet the lack of declared requirements and absent code raises the risk that keys may be handled outside expected channels if the missing code were supplied later.
Persistence & Privilege
The skill does not request persistent/always-on presence (always: false) and does not declare any privileged system config or cross-skill modifications. Autonomous invocation is allowed by platform default, but that alone is not a concern given the other issues.
What to consider before installing
This skill appears incomplete or inconsistent: SKILL.md tells you to export API keys and run scripts/generate_image.py, but the package contains no scripts and the registry metadata lists no env vars. Before installing or providing API keys, ask the publisher for the missing source (scripts/generate_image.py and any other code), or prefer a published skill whose code and required env vars are included and documented. If you must test it, use dedicated, low-permission API keys (rotate them after), avoid using high-privilege or production keys, and verify where network calls are sent (official provider endpoints). If the author cannot supply the code or a trustworthy source URL, treat the skill as unreliable and do not provide secret credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk979bn9hf0knrb0byc4w3rv8ts83g6sw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.