ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

suhe

v1.2.0

Edit suhe's reference image with Tongyi Wanxiang (通义万相) and send selfies to messaging channels via OpenClaw

0· 57·0 current·0 all-time
byHongwei Zhao@lilozhao
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Skill purpose (edit a fixed reference image via Alibaba DashScope/Tongyi Wanxiang and send via OpenClaw) matches the code and scripts. However the package metadata declared no required environment variables while the SKILL.md and multiple scripts require DASHSCOPE_API_KEY and OPENCLAW_GATEWAY_TOKEN, and additional Aliyun OSS credentials are used in example upload steps but not declared in metadata—this mismatch is unexpected and unclear.
!
Instruction Scope
Runtime instructions and scripts do more than 'call DashScope and send via OpenClaw': they download generated images, upload them to OSS (using ali-oss and environment variables such as ALIYUN_ACCESS_KEY_ID/ALIYUN_ACCESS_KEY_SECRET), and print or return a friendly link under http://pic.lilozkzy.top. The skill also references multiple local gateway endpoints/ports inconsistently (localhost:18789, localhost:3000) and instructs copying and writing many files into ~/.openclaw. These extra actions (upload to OSS, producing friendly links on an external domain) expand scope and require sensitive credentials and trust in external domains.
Install Mechanism
No explicit install spec in registry, but the bundled bin/cli.js is an installer that copies workspace and skill files into the user's ~/.openclaw directory (writing many files into the home folder). That is functional for a template installer but is invasive compared with an instruction-only skill and should be run only after review. No remote downloads from untrusted URLs are performed by installer, but the installer will place scripts that call external services.
!
Credentials
SKILL.md and scripts require DASHSCOPE_API_KEY and OPENCLAW_GATEWAY_TOKEN (reasonable for image generation and sending). However scripts and instructions also reference Aliyun OSS credentials (ALIYUN_ACCESS_KEY_ID, ALIYUN_ACCESS_KEY_SECRET, ALIYUN_OSS_BUCKET, etc.) and expect an oss-uploader skill or ali-oss usage — these are not declared in the registry metadata. The skill will therefore ask for/need additional sensitive credentials beyond what the registry lists. It also references a custom domain (pic.lilozkzy.top) as the canonical output location, which implies either ownership or an expectation about the user's OSS/cname configuration that is not explained.
Persistence & Privilege
always:false (good). The installer (bin/cli.js) writes files into ~/.openclaw (workspace, skill, docs) which is normal for installing an agent template but is persistent on disk. The skill does not request 'always: true' nor does it claim to change other skills' configs; still, installing will create persistent files and scripts that can be executed later by the agent.
Scan Findings in Context
[hardcoded-external-domain-pic.lilozkzy.top] unexpected: The skill repeatedly uses and returns links under http://pic.lilozkzy.top for reference and uploaded images. For a selfie generator you'd expect either a user's OSS bucket or a documented public CDN; a private domain hardcoded like this is unexpected and requires verifying who controls that domain and why links resolve there.
[undeclared-oss-credentials-usage] expected: Uploading generated images to Aliyun OSS is a plausible feature, but the scripts call ali-oss and reference ALIYUN_ACCESS_KEY_ID / ALIYUN_ACCESS_KEY_SECRET / ALIYUN_OSS_BUCKET without those env vars being declared in the registry metadata. That omission is an incoherence: the capability expects additional secrets but does not declare them.
[inconsistent-local-gateway-ports] expected: The skill uses OpenClaw gateway calls but references different local endpoints/ports across files (e.g., http://localhost:18789/message, http://localhost:3000/api/v1/messages). Calling a local gateway is expected, but the inconsistent ports are a reliability/clarity concern and may cause accidental leaking to wrong endpoints if misconfigured.
[installer-writes-home-directory] expected: bin/cli.js copies workspace, skill, and docs into ~/.openclaw and ~/.openclaw/skills. Writing those files is expected for an agent template installer, but it is persistent and invasive compared with an instruction-only skill—users should review what will be written before running.
[malformed-json-in-script] unexpected: Some shell scripts contain malformed JSON in curl -d blocks (e.g., stray quotes or mismatched braces). This indicates sloppy/untested code; while not necessarily malicious, it increases risk of runtime failures and unexpected behavior.
What to consider before installing
Before installing or running this skill: 1) Review and understand the installer (bin/cli.js) — it will copy many files into ~/.openclaw and create persistent skills/workspace files. 2) Verify which environment variables you will need and where they are declared. The registry metadata says none are required, but the skill requires DASHSCOPE_API_KEY and OPENCLAW_GATEWAY_TOKEN and examples use Aliyun OSS credentials (ALIYUN_ACCESS_KEY_ID / ALIYUN_ACCESS_KEY_SECRET) which are sensitive. Only provide keys you control and understand. 3) Confirm ownership/trust of pic.lilozkzy.top — the skill uses that domain for reference images and 'friendly' links; ensure your images are not being hosted or routed through a third party you don't trust. 4) Check local gateway port configuration used by your OpenClaw runtime (the skill references multiple ports); adapt scripts to your environment. 5) Consider running the installer and scripts in a sandbox or review and edit the scripts (especially the upload and gateway URLs) before executing. 6) If you need to limit exposure, prefer configuring uploads to a bucket you control and ensure CNAME/URL behavior is as you expect. If you are uncertain, do not provide your OSS keys or run the installer until you can inspect and modify the code.
bin/cli.js:151
Shell command execution detected (child_process).
scripts/suhe-selfie.ts:127
Environment variable access combined with network send.
skill/scripts/suhe-selfie.ts:127
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c64hep1cmrjr74syvxpyyyd83ybpq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments