ClawHub

DesignKit Ecommerce AI Studio

v1.0.4

Use when users need DesignKit image editing or ecommerce product-image generation, with public metadata optimized for ClawHub and runtime guidance defaulting...

7· 190·0 current·0 all-time
byMeitu.Inc@meituskills
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, required binaries (bash, curl, python3), and the single required env var (DESIGNKIT_OPENCLAW_AK) align with the claimed image-editing and ecommerce rendering functionality. The presence of scripts to build requests, upload local images, and download renders is expected. Minor note: api/commands.json marks the ecommerce workflow as `reserved` while a full ecommerce script (run_ecommerce_kit.sh + ecommerce_product_kit.py) is included — the package routes callers to the dedicated ecommerce script rather than the reserved command entry, which is an internal inconsistency but not evidence of malicious intent.
Instruction Scope
SKILL.md restricts operations to user-supplied image URLs or explicit local paths and instructs the agent to upload only allowed image types. The scripts enforce these rules (file-type/magic-byte checks) and avoid scanning arbitrary local directories. The flow explicitly warns that local files will be uploaded to the remote service and instructs not to leak credentials or raw payloads. This scope of actions matches the described purpose.
Install Mechanism
No external install/download steps are declared; this is an instruction-and-script bundle that runs local scripts. No third-party downloads or archive extraction are used, which reduces installation risk.
Credentials
Only one required secret (DESIGNKIT_OPENCLAW_AK) is declared and used for X-Openclaw-AK authorization. Optional environment variables (webapi base, output dir, logging flags) are reasonable for configuration and debugging. The skill does reference other non-secret env variables for defaults (OPENCLAW_HOME etc.) but they are optional and appropriate for file placement.
Persistence & Privilege
always is false and the skill does not request permanent platform-wide privileges. It runs its own scripts and resolves output dirs, and contains checks to avoid writing inside the skill repository. Nothing in the package attempts to modify other skills or global agent configuration.
Assessment
This package appears to do what it claims: it will upload user-provided images to the DesignKit / OpenClaw service and download generated images locally. Before installing, consider: (1) The skill requires DESIGNKIT_OPENCLAW_AK — supply only an API key from the legitimate DesignKit site you trust. (2) Any local image you provide will be uploaded to the remote service; do not supply sensitive images you don't want transmitted. (3) Request logging can be enabled for debugging via OPENCLAW_REQUEST_LOG, but the code attempts to redact sensitive fields — avoid enabling logs in untrusted environments. (4) There's a small internal inconsistency: api/commands.json marks one workflow as `reserved` while a shell/python implementation exists; the agent uses the provided scripts rather than relying on the reserved command entry. If you need higher assurance, verify the service endpoints (openclaw-designkit-api.meitu.com and designkit.cn) are correct for your organization and consider rotating or scoping the API key (eg. use a low-privilege/test key) before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dnvv7hwgnp44vp6ce4vp439841nbg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsbash, curl, python3
EnvDESIGNKIT_OPENCLAW_AK
Primary envDESIGNKIT_OPENCLAW_AK

Comments