DesignKit Ecommerce AI Studio
Security checks across malware telemetry and agentic risk
Overview
This appears to be a coherent DesignKit image-processing skill, with the main precautions being that it uses your API key and uploads user-provided images for remote processing.
Install only if you are comfortable using your DesignKit/OpenClaw API key and sending selected product images to the remote service. Prefer the inspected ClawHub install path, keep request logging off unless debugging, avoid private or sensitive images, and verify any custom output directory or API-base override before use.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
After you provide the needed image and parameters, the agent may run the bundled scripts to submit the job and download results.
The agent is expected to run local shell/Python executors after collecting task inputs. This is purpose-aligned for the image workflow, but users should expect tool execution and network submission.
Once enough information is available, briefly restate the action in Chinese and execute it directly.
Use the skill only for intended image-processing tasks, and review the requested action before providing local paths or task details.
The skill can act against the DesignKit/OpenClaw service using your configured API key, which may affect account usage or credits.
The code reads the DesignKit/OpenClaw API key from the environment and uses it as an authentication header.
ak = os.environ.get("DESIGNKIT_OPENCLAW_AK", "").strip() ... "X-Openclaw-AK": akSet the API key only in a trusted environment, rotate it if exposed, and avoid enabling verbose request logging unless needed.
Images you provide may leave your device and be processed by DesignKit/OpenClaw.
The data flow intentionally sends user-provided local images to a remote provider for processing; this is clearly disclosed and purpose-aligned.
Local images supplied by the user may be uploaded to the remote DesignKit / OpenClaw API.
Only provide images you are comfortable uploading to the service, and do not set DESIGNKIT_WEBAPI_BASE to an untrusted endpoint.
Installing directly from a moving repository may expose you to source changes that differ from the reviewed package.
The README offers an optional direct GitHub installation command. It is user-directed rather than automatic, but it is less controlled than installing an inspected ClawHub package.
npx -y skills add https://github.com/meitu/designkit-skills
Prefer `clawhub inspect` and ClawHub installation, or pin and inspect the repository version before direct installation.