ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Grs Image

v1.0.0

GrsAI Nano Banana Pro 图片生成工具。使用 GrsAI API 生成图片,支持中文描述。适用于室内设计效果图、开工大吉海报、设计素材生成等场景。

0· 55·0 current·0 all-time
by@mapleslove
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's name/description claim it calls the GrsAI API to generate images, and the included script indeed makes HTTP calls to an external GrsAI endpoint — that is coherent. However, the registry metadata lists no required environment variables or primary credential, while both SKILL.md and scripts require GRSAAI_API_KEY. This mismatch between declared requirements and actual runtime needs is unexpected.
Instruction Scope
SKILL.md provides concrete CLI usage and asks the user to set GRSAAI_API_KEY and pip-install requests. The runtime instructions and script perform only network calls to the GrsAI endpoints and write the downloaded image file to disk — all within the stated image-generation scope. The SKILL.md references both domestic and overseas API hosts, but the script hard-codes the domestic BASE_URL, which is a minor inconsistency to be aware of.
Install Mechanism
There is no install spec; the skill is instruction-only with a small Python script. SKILL.md asks to pip install requests — a minimal, expected dependency. No downloads from untrusted URLs or extraction steps are present.
!
Credentials
The script reads GRSAAI_API_KEY from the environment and uses it as a Bearer token to an external service. The registry metadata did not declare this required credential or a primaryEnv, which is disproportionate (and potentially confusing) — users may not realize an API key will be transmitted to the hard-coded endpoint. No other unrelated credentials are requested.
Persistence & Privilege
The skill does not request always:true, does not modify system or other skills' configs, and only writes an output image file. It does perform network I/O to external endpoints (expected for its purpose) but does not request elevated persistent privileges.
What to consider before installing
This skill is largely what it says — a small Python client for a GrsAI image API — but there are two things to check before installing: (1) the registry metadata omits the required GRSAAI_API_KEY even though SKILL.md and the script require and will send it to the hard-coded endpoint (https://grsai.dakka.com.cn). Only provide a key if you trust that host and the skill owner. (2) The script hard-codes a domestic BASE_URL while documentation lists an overseas endpoint; confirm which endpoint you intend to use and consider editing the script if needed. Inspect the script source (it’s included) and, if possible, test with a low-privilege or revocable API key first. Also be aware the script will download the final image from whatever URL the API returns — verify returned URLs before trusting them if you have strict network policies. If the author or homepage is unknown, prefer caution.

Like a lobster shell, security has layers — review code before you run it.

latestvk976exnw4y0se2bag5zww4px3h83z6wj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments