ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

万相 2.6 生成微信公众号封面图

v1.0.0

使用阿里云万相 2.6 模型生成微信公众号封面图和技术架构设计图

1· 78·0 current·0 all-time
by@love254443233
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code and SKILL.md match the stated purpose (generate WeChat cover images, tech diagrams, article images using Aliyun Wan/Dashtscope). Required Python deps (dashscope, requests) are appropriate. However, the registry metadata claims no required env vars while the skill clearly needs an API key (DASHSCOPE_API_KEY / QWEN_API_KEY / ALIYUN_DASHSCOPE_API_KEY), which is an inconsistency.
!
Instruction Scope
SKILL.md and code instruct the agent to load environment variables from multiple locations in order (OPENCLAW_ENV_FILE, local .env, ~/.openclaw/.env, ~/.workbuddy/.env). That behavior goes beyond just reading a single service key and may read shared config files used by other skills/platform components, increasing the risk of unintended access to other secrets. Other runtime behavior (creating local .env, saving images under ~/WorkBuddy/<skill>) is coherent with the stated purpose.
Install Mechanism
No risky remote install steps or arbitrary downloads are present; dependencies are normal Python packages listed in requirements.txt. There is no install spec in the registry (instruction-only), and bundled scripts are simple local helpers (setup.sh, config.py).
!
Credentials
The skill requires an API key for Aliyun Dashscope but the registry metadata did not declare any required env vars—this omission is misleading. The skill also accepts multiple env var names and will load several env files (including ~/.openclaw/.env and ~/.workbuddy/.env), which could expose unrelated credentials if those files contain other secrets. Requesting a single service API key would be proportionate; reading shared env files is broader than necessary.
Persistence & Privilege
always:false and no evidence the skill modifies other skills or system-wide agent settings. It writes a local .env in its own directory and saves images under a user WorkBuddy directory—reasonable for functionality. Still, users should note files are created under the user home.
What to consider before installing
This skill appears to implement the advertised image-generation features, but there are two practical concerns to weigh before installing: (1) the registry metadata omits that you must provide an API key—the code expects DASHSCOPE_API_KEY (and will also accept QWEN_API_KEY / ALIYUN_DASHSCOPE_API_KEY); verify the skill metadata is updated so you understand what secrets are required; (2) the runtime will load shared env files (OPENCLAW_ENV_FILE, ~/.openclaw/.env, ~/.workbuddy/.env) to locate keys. If those files contain credentials for other services, the skill could read them. Recommended actions: inspect the code locally (you already have it), provide the API key via a dedicated .env in the skill folder or explicit --api-key when invoking, avoid placing unrelated secrets in shared ~/.openclaw/.env or ~/.workbuddy/.env, and run the tool in a sandboxed environment if you cannot fully trust the author. If you need higher assurance, ask the maintainer to update registry metadata to declare DASHSCOPE_API_KEY as a required env var and to avoid loading unrelated shared env files by default.

Like a lobster shell, security has layers — review code before you run it.

latestvk979k075kecaee3bbqvr7wxrhn84414t
78downloads
1stars
1versions
Updated 2w ago
v1.0.0
MIT-0
@love254443233
latest
Download

wan26-text-to-image

使用阿里云万相 2.6 模型生成微信公众号封面图和技术架构设计图。

功能

  • 微信公众号封面图生成:根据文章标题和内容生成 16:9 比例的封面图(1280×720)
  • 技术架构设计图生成:根据技术描述生成 AI/大模型相关的技术架构 visualization
  • 文章配图生成:根据段落内容生成多张配图

命令

generate_wx_cover

生成微信公众号封面图

参数:

  • title (string, 必填): 文章标题
  • content (string, 可选): 文章内容摘要或关键词
  • style (string, 可选): 风格描述,如"科技感"、"简约"、"商务"等
  • api_key (string, 可选): 阿里云 API Key,如不提供则从环境变量 DASHSCOPE_API_KEY 或技能目录 .env 读取

示例:

generate_wx_cover title="大模型技术架构解析" content="Transformer, RAG, Agent" style="科技感,蓝色调"

generate_tech_diagram

生成技术架构设计图

参数:

  • description (string, 必填): 技术架构描述
  • components (string, 可选): 主要组件列表,逗号分隔
  • style (string, 可选): 图表风格,如"框图"、"流程图"、"架构图"等
  • api_key (string, 可选): 阿里云 API Key

示例:

generate_tech_diagram description="RAG 系统架构,包含向量数据库、检索模块、生成模块" components="向量库,检索器,LLM, 知识库" style="清晰的架构图"

generate_article_images

生成文章配图(支持多张)

参数:

  • content (string, 必填): 段落内容
  • count (int, 可选): 生成图片数量,默认 3 张,最多 5 张
  • size (string, 可选): 图片尺寸,默认"1280*720"
  • api_key (string, 可选): 阿里云 API Key

示例:

generate_article_images content="深度学习神经网络的工作原理" count=3 size="1280*720"

配置

环境变量

在终端中为「阿里云百炼」下发的密钥配置进程环境变量(名称以官方控制台为准,常见为 DASHSCOPE_API_KEY)。将真实密钥粘贴进本仓库中的任何已跟踪文件;本地仅使用 .env(已在 .gitignore)或各平台私密配置。

本地 .env 与 OpenClaw 共用配置

以下路径会按顺序加载(仅补充当前环境中尚未设置的变量,不覆盖已 export 的键):

  1. OPENCLAW_ENV_FILE(若设置)
  2. 技能目录下本地 .env(需自行创建,已列入 .gitignore
  3. ~/.openclaw/.env
  4. ~/.workbuddy/.env

可与其它技能共用同一份 ~/.openclaw/.env;文件中仅存放由控制台下发的密钥,不要.env 提交到版本库。

创建生成器实例且未传 --api-key 时,会自动执行上述加载逻辑。

机器调用建议(新增)

为了让上游技能稳定解析结果,建议使用 --json-only

python wan26_generator.py --json-only cover --title "RAG 幻觉治理" --content "RAG, Hallucination"

该模式会只在 stdout 输出 JSON,便于脚本解析。

API Key 获取

  1. 访问 阿里云百炼控制台
  2. 创建 API Key
  3. 配置到环境变量或作为参数传入

文件输出目录

默认将下载的图片保存到 ~/WorkBuddy/<技能文件夹名>/(与 ~/.workbuddy/skills 下本技能目录名一致;代码中为 os.path.join(expanduser('~'), 'WorkBuddy', basename(技能根目录)),可通过 --output-dir 覆盖)。

输出规格

微信公众号封面图

  • 尺寸:1280×720(16:9)
  • 格式:PNG
  • 无水印

技术架构图

  • 尺寸:1280×1280 或自定义
  • 格式:PNG
  • 无水印

注意事项

  • 图片 URL 有效期 24 小时,请及时下载保存
  • 建议使用异步调用模式避免超时
  • 生成时间约 1-2 分钟
  • 按生成图片张数计费

依赖

  • Python 3.7+
  • dashscope SDK >= 1.25.8
  • requests

安全与合规

  • 本技能仓库不包含任何真实 API 密钥;密钥仅通过环境变量或本地 .env 注入。
  • 运行 setup.sh / config.py 时,终端不会输出完整密钥;请勿将密钥提交至 Git 或截图外传。

参考

Comments

Loading comments...