Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Ms Ai
v1.2.1ModelScope AI 技能:生图、改图、析图、生文。支持文生图、图生图、视觉理解、文本生成,遇到限速自动轮换模型。
⭐ 0· 114·1 current·1 all-time
byLuhui WANG@luhuiwang
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
Name, description, SKILL.md and the Python scripts consistently implement text/image generation and vision features via the ModelScope API (api-inference.modelscope.cn). Functionality matches the stated purpose. However the registry metadata declared no required environment variables/primary credential while the code and SKILL.md clearly require MODELSCOPE_API_KEY (supporting multiple comma-separated keys). This mismatch is an incoherence: the skill will fail without the key but the registry does not advertise that requirement.
Instruction Scope
SKILL.md and scripts are explicit about what to run (pip install requests Pillow; run the provided scripts) and instruct editing ~/.openclaw/openclaw.json to supply MODELSCOPE_API_KEY. The scripts only read image files, a history JSON, and the MODELSCOPE_API_KEY; they transmit images/prompts to ModelScope endpoints (expected). A notable issue: the code prints the first ~12 characters of each API key to stderr when selecting keys (potential secret leakage into logs). Otherwise instructions do not request unrelated system files or unrelated credentials.
Install Mechanism
There is no install spec that downloads arbitrary code; the package includes Python scripts and documentation. Runtime requires pip packages (requests, Pillow) which the SKILL.md documents. No external binary downloads or obscure URLs are used by the install process. Network calls at runtime go to the documented ModelScope endpoints.
Credentials
The skill legitimately needs MODELSCOPE_API_KEY (and supports supplying multiple keys). Requesting a single API key for the service the skill integrates with is proportionate. However the registry metadata omits declaring this requirement (it lists no required env vars), which is misleading. Additionally, scripts reveal the first ~12 characters of each API key in stderr, which could leak key fragments into logs/telemetry; this is unnecessary and increases risk. No other unrelated credentials are requested.
Persistence & Privilege
The skill does not set always:true and does not request elevated platform privileges. It asks the user to add a skill-scoped env entry to ~/.openclaw/openclaw.json (normal for skill-level config). The scripts do not modify other skills or system-wide config beyond advising how to add its own setting.
What to consider before installing
This skill appears to implement exactly what it claims (ModelScope text/image/vision) but it requires MODELSCOPE_API_KEY(s) and the registry metadata does not declare that — so the platform record is incomplete. Before installing: 1) Verify you are comfortable storing MODELSCOPE_API_KEY in ~/.openclaw/openclaw.json (this stores keys in plaintext) or prefer exporting the env var instead. 2) Prefer creating a limited-privilege / limited-quota ModelScope key and rotate it if exposed. 3) Be aware the scripts print the first ~12 chars of each API key to stderr; if you collect logs or share stderr, that could leak key fragments — consider removing or changing that logging in common.py. 4) Confirm network access to https://api-inference.modelscope.cn/ is acceptable and that you consent to sending images/prompts to that service (images are uploaded/base64-encoded). 5) Ask the publisher or registry maintainer to update the skill metadata to declare MODELSCOPE_API_KEY as a required credential so the requirement is visible prior to install. If you want higher assurance, inspect the included Python files locally (they are small and readable) before running.Like a lobster shell, security has layers — review code before you run it.
aivk975w5tgwfa7ty1nrqdabxn8nd83h8t1imagevk975w5tgwfa7ty1nrqdabxn8nd83h8t1latestvk972yez29dpqfbffg0035yygj983z7ewmodelscopevk975w5tgwfa7ty1nrqdabxn8nd83h8t1textvk975w5tgwfa7ty1nrqdabxn8nd83h8t1visionvk975w5tgwfa7ty1nrqdabxn8nd83h8t1
License
MIT-0
Free to use, modify, and redistribute. No attribution required.