Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
lovart skill
v1.0.0与 Lovart.ai API 集成,生成 AI 设计、图片和视频。支持图像生成、图像编辑、视频创建和模板工作流。
⭐ 0· 159·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description, SKILL.md, prompt.md, config.json and examples.sh consistently describe a Lovart.ai image/video generation integration — that matches the stated purpose. However, the registry metadata claims no required environment variables or primary credential while the SKILL.md/config/examples clearly require LOVART_API_KEY. This metadata omission is incoherent and could lead to silent failures or misconfiguration.
Instruction Scope
Runtime instructions are scoped to calling Lovart API endpoints (POST /v1/design/generate, GET /v1/design/{id}) and handling task polling; they explicitly instruct using an API key in Authorization header and recommend backend proxying. There is nothing in the instructions that reads unrelated system files or exfiltrates data. However, a prompt-injection detection (unicode-control-chars) was found in SKILL.md/prompt.md — worth manual review to ensure no hidden control characters alter model behavior.
Install Mechanism
No install spec (instruction-only plus example script) — low installation risk. The skill does not download or extract external archives.
Credentials
Functionally the skill only needs a single service credential (LOVART_API_KEY), which is proportionate. But the top-level registry metadata lists no required env vars/primary credential while config.json, SKILL.md, prompt.md and examples.sh require LOVART_API_KEY. Also examples.sh calls jq (and curl), but the manifest's required binaries list is empty — undeclared runtime dependency. These inconsistencies reduce trust and need correction before use.
Persistence & Privilege
The skill does not request always:true or any elevated persistent privileges. It is user-invocable and allows normal autonomous invocation; nothing in the files attempts to modify other skills or system-wide settings.
Scan Findings in Context
[unicode-control-chars] unexpected: Control/unicode characters were detected in SKILL.md/prompt.md. While the visible instructions are benign, hidden control characters can be used to attempt prompt-injection or to alter how models parse content. Manual inspection or a sanitized copy is recommended.
What to consider before installing
This skill appears to do what it claims (calls Lovart.ai), but the package metadata is inconsistent. Before installing or using it: 1) Verify the source/owner (unknown origin). 2) Confirm you have and will supply LOVART_API_KEY as an environment variable — the skill and examples require it though the registry metadata omitted it. 3) Ensure the runtime environment includes curl and jq (examples.sh uses jq) or adjust examples accordingly. 4) Manually inspect SKILL.md and prompt.md for any hidden/strange unicode/control characters (the scanner flagged them). 5) Do not put your API key in client-side code; prefer a backend proxy as the skill itself recommends. If the owner/source cannot be validated or the metadata is not corrected, treat the skill with caution and avoid giving it sensitive, high-privilege credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk975x1vxf46b339jz5cf5371pn83jba9
License
MIT-0
Free to use, modify, and redistribute. No attribution required.