ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

AI 火宝

v1.0.2

Generate images from text prompts or transform existing images using AI with configurable count, watermark, and API key settings.

0· 524·1 current·1 all-time
by培根666@kongweigen
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to be a 火山引擎 (Volcengine) image-generation skill supporting multiple models, and the SKILL.md and scripts implement text2image and image2image which matches the high-level purpose. However, the code's API_URL is https://api.chatfire.site/v1/images/generations (a third-party domain) rather than an official Volcengine endpoint. Model names referenced (e.g., gemini-2.5-flash-image, nano-banana) may not map to the actual backend; this provider mismatch is unexplained and disproportionate to the stated purpose.
!
Instruction Scope
Runtime instructions and included scripts only perform JSON POSTs to the remote API and do not read local secrets or files beyond argv, but they do require an API key (HUOBAO_API_KEY or --api-key) and will transmit it as a Bearer token to api.chatfire.site. The SKILL.md describes Volcengine use, but the instructions direct traffic to an unlisted endpoint — this is outside the expected scope given the description and could lead to credential transmission to an unexpected party.
Install Mechanism
No install specification; this is an instruction+script skill with no downloads or archive extraction. No additional packages or installers are pulled by the skill itself, so there is low install-time risk.
!
Credentials
SKILL.md and the scripts require an API key (HUOBAO_API_KEY or --api-key) but the registry metadata lists no required environment variables and no primary credential. That mismatch is incoherent. The API key will be sent to api.chatfire.site; if you expected the key to go to Volcengine (or another provider), this could result in secret disclosure to a different service. The number of secrets requested is small (one key), but lacking explanation of the endpoint makes it disproportionate/unjustified.
Persistence & Privilege
The skill does not request persistent/frequent privileges: always:false, no config-path writes, and it does not attempt to modify other skills or system settings. It only runs network requests when invoked.
What to consider before installing
This skill's code does what the description says (text→image and image→image) but it sends your API key to https://api.chatfire.site rather than to an obvious official Volcengine endpoint mentioned in the description. Before installing or using it: (1) confirm who operates api.chatfire.site and whether your API key is meant for that service; (2) do not reuse a sensitive/privileged key — create a limited-scope or test key if possible; (3) prefer keys issued by the actual provider named in the description (or ask the author why a proxy is used); (4) if you don't trust the endpoint or the skill owner, do not provide real credentials; (5) if you need to proceed, consider running the script in an isolated environment and monitor outbound network traffic to verify behavior. The registry metadata should declare the required HUOBAO_API_KEY — its absence is an additional red flag. If the author can explain and justify the api.chatfire.site endpoint (for example, it's an official proxy), that would lower the concern.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ddk4s97echpew2xt4kchjx181smeq
524downloads
0stars
3versions
Updated 7h ago
v1.0.2
MIT-0
培根666@kongweigen
latest
Download

AI 火宝

🔥 火山引擎 AI 生图 Skill。支持多种模型。

环境变量

export HUOBAO_API_KEY="<your-api-key>"

或使用 --api-key 参数传入。

支持的模型

模型说明
gemini-2.5-flash-imageGemini 2.5 Flash Image
gemini-2.5-flash-image-previewGemini 2.5 Flash Image Preview
nano-bananaNano Banana
nano-banana-proNano Banana Pro
nano-banana-pro_4kNano Banana Pro 4K
doubao-seedream-4-5-251128豆包 Seedream 4.5

支持的尺寸

尺寸说明
1x1正方形
16x9宽屏
9x16竖屏
3x4竖屏
4x3宽屏

功能

文生图 (text2image)

python3 scripts/t2i.py "提示词" --model nano-banana-pro --size 1x1

图生图 (image2image)

python3 scripts/i2i.py --image <图片URL> --prompt "描述" --model nano-banana-pro

参数

参数说明
prompt提示词(必填)
--model模型名称(默认: nano-banana-pro)
--size尺寸(默认: 1x1)
--count生成数量 1-4 (默认: 1)
--watermark是否添加水印 (默认: true)
--api-keyAPI Key(必填)
--debug调试模式

示例

# 文生图 - Nano Banana Pro
python3 scripts/t2i.py "一只可爱的猫咪" --model nano-banana-pro --size 1x1 --api-key "sk-xxx"

# 文生图 - Gemini 2.5 Flash
python3 scripts/t2i.py "风景画" --model gemini-2.5-flash-image --size 16x9 --api-key "sk-xxx"

# 图生图
python3 scripts/i2i.py --image "https://example.com/img.jpg" --prompt "动漫风格" --model nano-banana-pro --api-key "sk-xxx"

输出格式

成功返回 JSON:

{
  "success": true,
  "prompt": "...",
  "model": "nano-banana-pro",
  "size": "1x1",
  "count": 1,
  "images": [{"url": "..."}],
  "usage": {...}
}

Comments

Loading comments...