Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
wan-image-gen
v1.0.0Generate images using Alibaba DashScope wan2.6-t2i model, download to Desktop, and upload to catbox.moe image hosting. Use when the user asks to generate, cr...
⭐ 1· 393·2 current·2 all-time
byAgentrix@lxyd-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's description and SKILL.md consistently describe calling Alibaba DashScope (wan2.6-t2i) and uploading results to catbox.moe — that is coherent. However the registry metadata lists no required environment variables while the SKILL.md explicitly requires DASHSCOPE_API_KEY. The missing declaration is an incoherence that affects user expectations of needed credentials.
Instruction Scope
The instructions are concrete (curl to DashScope, download to ~/Desktop, upload to catbox.moe) and stay within the stated purpose. Concerns: (1) SKILL.md includes a literal-looking API key (sk-ec7...), which may be a real secret or a placeholder — embedding keys in docs is risky; (2) the instructions write files to the user's Desktop and upload them to a third-party public host (catbox.moe) without asking for explicit consent in the flow; (3) the guide assumes presence of python3 and standard paths but the registry did not declare those prerequisites.
Install Mechanism
Instruction-only skill with no install steps and no code files — low install risk.
Credentials
Only one credential (DASHSCOPE_API_KEY) is needed according to the SKILL.md which is proportionate. But the registry claims no required env vars, creating an inconsistency. The embedded example API key is an additional risk (possible accidental secret disclosure). No other unrelated credentials are requested.
Persistence & Privilege
always is false and the skill does not request persistent system-level privileges or modify other skills' configuration. Autonomous invocation is allowed (platform default) but not combined with other high-risk indicators here.
What to consider before installing
This skill appears to do what it says (call Alibaba DashScope to generate images and upload them to catbox.moe) but there are a few things to check before installing: 1) The SKILL.md requires DASHSCOPE_API_KEY but the registry metadata lists no required env vars — ask the publisher to correct the metadata so you know beforehand what secret will be used. 2) SKILL.md contains a literal-looking API key in an example; do not assume it is safe. Treat it as a possible leaked secret and ask the maintainer to remove or redact it. 3) The workflow writes images to your Desktop and uploads them to a public third-party host (catbox.moe). Confirm you are comfortable with generated images being stored publicly and that no sensitive content will be uploaded. 4) Verify the DashScope endpoint (dashscope-intl.aliyuncs.com) is the correct official API and use a scoped or disposable API key for initial testing. 5) Consider updating the skill to prompt the user explicitly before writing files or uploading, and to avoid embedding credentials in docs. If the publisher clarifies the env var requirement and removes the hardcoded example key, the inconsistencies would be resolved.Like a lobster shell, security has layers — review code before you run it.
latestvk970s28r3tvtv1f9nbx3xwvajh821j42
License
MIT-0
Free to use, modify, and redistribute. No attribution required.