ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

千问文生图

v1.0.0

阿里云千问文生图模型(Qwen-Image)技能,支持图像生成。当用户要求AI生成图片、画图、文生图、text-to-image,或提到千问、阿里云生图时使用。支持中英文提示词,可指定画面尺寸、风格参数等。

0· 57·0 current·0 all-time
bywoodylan@lanlan314
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's stated purpose (Qwen image/text-to-image generation) matches the runtime instructions calling DashScope/Qwen endpoints, but the registry metadata lists no required credentials while the SKILL.md explicitly requires DASHSCOPE_API_KEY. That mismatch is unexplained and reduces trust.
Instruction Scope
SKILL.md gives concrete curl examples to a dashscope.aliyuncs.com endpoint, describes request construction, response parsing, and error codes. The instructions do not attempt to read unrelated files or exfiltrate other data; scope is limited to calling the image API and returning image URLs.
Install Mechanism
No install spec and no code files (instruction-only) — minimal disk/write footprint. This is low risk from install mechanics.
!
Credentials
The instructions require an API key via the DASHSCOPE_API_KEY environment variable, but the skill metadata declares no required env vars or primary credential. The skill will use an external service credential; the registry should explicitly declare this. Ensure only a purpose-scoped key would be provided.
Persistence & Privilege
always is false and the skill is user-invocable with normal autonomous invocation allowed. It does not request persistent system privileges or attempt to modify other skills or agent-wide configs.
What to consider before installing
This skill implements an Alibaba Cloud (DashScope/Qwen-Image) text-to-image integration and will call external APIs using an API key. Before installing: (1) ask the publisher to update the registry metadata to list DASHSCOPE_API_KEY as a required credential (the SKILL.md already expects it); (2) only provide a scoped API key (least privilege), and confirm billing/costs and rate limits for your account; (3) verify the endpoint and publisher/source (no homepage provided) — absence of a verifiable source increases risk; (4) if you don’t want the agent to call external services autonomously, restrict or withhold the API key or disable autonomous invocation for this skill. If the publisher cannot justify the metadata mismatch, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fjhar48gfkv547va5k01sqh83ze4z

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments