Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Multimodal Generate Image
v1.0.0AI驱动的图片生成与编辑工具,用于制作高质量产品图。当用户要求生成图片、制作图片、编辑照片、文生图、图生图、换背景、变换风格、替换图片中的物体、将产品合成到场景中、换模特、制作任何类型的AI生成视觉内容、AI drawing, image generation, text-to-image, image-to-i...
⭐ 0· 43·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name, description, SKILL.md, references/api.md, and the Python script all describe an image generation/editing skill that calls a LinkFox multimodal API — that matches the stated purpose. However, the registry metadata declares no required environment variables or primary credential while both references/api.md and scripts/multimodal_generate_image.py require an API key via the environment variable LINKFOXAGENT_API_KEY. This metadata omission is an incoherence (the skill will need credentials even though none are declared).
Instruction Scope
SKILL.md and the script limit actions to constructing a prompt, optionally accepting up to 3 reference image URLs, calling the LinkFox API, and displaying results. There are no instructions to read unrelated local files, exfiltrate arbitrary system data, or run other system commands. The skill does suggest proactively asking for reference URLs and posts feedback to a separate feedback endpoint; both are within the skill's functional scope but imply outbound transmission of user-provided content.
Install Mechanism
No install spec or external downloads are present; the skill is instruction/script-only and does not write or execute arbitrary fetched code. This is a lower-risk install model.
Credentials
The code requires a single environment variable LINKFOXAGENT_API_KEY to authenticate to the external API, which is proportionate to the task. However, the registry metadata incorrectly lists 'Required env vars: none' and 'Primary credential: none' despite the script and API docs requiring the API key. That mismatch is an integrity issue and could mislead users about what credentials will be needed and when data is sent externally.
Persistence & Privilege
The skill does not request persistent privileges (always:false) and does not modify other skills or system settings. It runs as a normal, user-invoked skill and does not request elevated system presence.
What to consider before installing
Before installing, note that the included script and API docs send prompts and any reference image URLs you provide to https://tool-gateway.linkfox.com (and feedback to https://skill-api.linkfox.com). The skill requires an API key (LINKFOXAGENT_API_KEY) even though the registry metadata does not declare it — ask the publisher to correct the manifest. Consider these steps: (1) Verify the publisher and the LinkFox endpoints and confirm they are legitimate; (2) Do not send sensitive or private images or PII until you trust the service and have read its privacy/retention policy; (3) Require the manifest be updated to declare LINKFOXAGENT_API_KEY as a required credential so the permission/consent model is clear; (4) If you cannot verify the service or the publisher, avoid providing credentials or installing the skill. I have medium confidence in this assessment because the code is straightforward and matches the SKILL.md, but the metadata omission and external data flow create a meaningful concern.Like a lobster shell, security has layers — review code before you run it.
latestvk97eaf3e26nc5x1tykfq1h0bm5840sdk
License
MIT-0
Free to use, modify, and redistribute. No attribution required.