Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
doubaoimg
v1.0.0Generate images with Doubao web chat, extract the final generated image URL from the page, save the image locally, and return the saved local path. Use when...
⭐ 0· 133·0 current·0 all-time
by@likely7
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description (save Doubao-generated images locally) align with the runtime instructions (open doubao web chat, extract image URL, download to disk). However the SKILL.md hardcodes Windows-specific paths (C:\Users\Administrator\.openclaw\workspace\tmp) and PowerShell usage while the registry metadata lists no OS restriction; this is disproportionate and likely to fail or behave unexpectedly on non-Windows hosts.
Instruction Scope
Instructions remain within the stated purpose: open the web page, input a prompt, inspect DOM/preview and pick a large image URL, then download it. They do instruct executing JS evaluate snippets in the page context and running local python download commands. Those are expected for browser automation + local saving, but they give the agent permission to write arbitrary files to the host filesystem and to run Python via PowerShell which may be unexpected on non-Windows hosts.
Install Mechanism
Instruction-only skill with no install spec and no packages to install; this minimizes supply-chain risk. There are no downloads or external install URLs.
Credentials
The skill requests no environment variables or credentials, which is appropriate. But it implicitly assumes the agent has permission to write to a specific local directory and to run PowerShell/python. The hardcoded Administrator path and Windows-specific command form are disproportionate to the stated, cross-platform intent and should be parameterized.
Persistence & Privilege
The skill is not always-enabled and does not request persistent system-wide privileges. It does perform local file writes (its intended function) but does not attempt to modify other skills or agent configuration.
What to consider before installing
This skill appears to do what it says (find the best Doubao image URL and save it locally) but has practical/incoherence issues you should review before installing:
- OS mismatch: SKILL.md hardcodes a Windows Administrator path and uses PowerShell pipe to python. If your agent runs on Linux/macOS or under a non-Administrator account, the provided commands will fail or attempt to write into an inappropriate path. Ask the skill author to make output_path configurable and provide cross-platform examples.
- Local write + command execution: The skill will download arbitrary URLs and run Python via PowerShell. Ensure the agent runs in a trusted/sandboxed environment and that you are comfortable with files being written to the specified directory. Consider changing the default path to a user-owned workspace.
- Source trust: There's no homepage or known source owner. That increases risk; consider testing in an isolated environment first.
- Operational notes: The skill expects the user to be optionally logged into doubao.com and will execute JS in the page context. Avoid sending secrets inside prompts. If you want to use it, request the author add cross-platform examples, parameterize output_path, and document required runtime capabilities (browser automation, Python availability, file write permissions).Like a lobster shell, security has layers — review code before you run it.
latestvk97c11zjw2j7pewfdcsh2t8mgs8347ns
License
MIT-0
Free to use, modify, and redistribute. No attribution required.