ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Alibaba Cloud Bailian Qwen Image 2.0 image generation. Supports text-to-image and image-to-image (reference image + text). For product promotion image generation, e-commerce image editing, marketing material creation. Provides Python API, CLI tool, and ComfyUI custom nodes.

v1.0.1

Alibaba Cloud Bailian Qwen Image 2.0 image generation. Supports text-to-image and image-to-image (reference image + text). For product promotion image genera...

1· 250·1 current·1 all-time
by@navygo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims no required environment or credentials in its registry metadata, but both SKILL.md and the Python code require an Alibaba 'DASHSCOPE_API_KEY' (Bearer auth) and make network calls to dashscope.aliyuncs.com. The presence of ComfyUI node code also depends on torch/numpy at runtime but these are not declared in requirements or installation instructions. The required credential and runtime libs are proportional to image-generation, but the metadata omission is incoherent.
Instruction Scope
SKILL.md instructions align with the stated purpose (text2image and image2image via Bailian). It instructs copying files into ComfyUI and storing the DASHSCOPE_API_KEY in a .env file (or exporting it). The instructions cause secrets to be written to disk (.env) and advise copying into ComfyUI/custom_nodes where code will run automatically — this is expected but should be noted. The docs do not mention installing torch/numpy which the ComfyUI nodes import (ComfyUI typically provides them, but it's not documented here).
Install Mechanism
No remote install downloads or executable installers; it's an instruction-only skill with local Python scripts and assets. Dependencies listed are requests and Pillow (in requirements.txt and SKILL.md). There are no external URLs used to pull arbitrary code at install time.
!
Credentials
The code requires DASHSCOPE_API_KEY but the skill metadata declares no required env vars or primary credential — a clear mismatch. Both scripts load .env files from parent directories and set environment variables globally (os.environ.setdefault / os.environ[key] = value), which may unintentionally import unrelated secrets present in those .env files. The number and sensitivity of env vars used (API key) is reasonable for the feature, but the metadata omission and broad .env loading are concerning.
Persistence & Privilege
The skill is not always-enabled and does not request elevated or platform-wide privileges. It writes temporary files during i2i processing and SKILL.md instructs users to create a .env file in ComfyUI directory (a user action). The skill does not modify other skills or system-wide settings by itself.
What to consider before installing
Before installing: 1) Expect to provide an Alibaba Bailian 'DASHSCOPE_API_KEY' — the skill metadata did not declare this, so do not paste other secrets into .env files. 2) Verify dashscope.aliyuncs.com is the expected official endpoint for your account; prefer official SDKs or vendor docs if unsure. 3) The ComfyUI node imports torch/numpy — ComfyUI normally provides those, but ensure your environment satisfies runtime dependencies. 4) The scripts will load a .env file from parent directories and set all found keys into the process environment; check those .env files for unwanted secrets before copying files into ComfyUI. 5) Review the two Python files yourself (they are short and readable) and, if possible, run them in an isolated environment (container or VM) and avoid storing long-lived secrets in world-readable files. 6) Because the package source/homepage is unknown, prefer obtaining client code from an official Alibaba/console-backed SDK or an identified, trusted repository if you need production use.

Like a lobster shell, security has layers — review code before you run it.

bailianvk976apa0r7mvda15gxzqxv7rs1833h5vbailian comfyui image-generation qwenvk978maet0mbh3kbkvx553kvcgx8337rqcomfyuivk976apa0r7mvda15gxzqxv7rs1833h5vimage-generationvk976apa0r7mvda15gxzqxv7rs1833h5vlatestvk978maet0mbh3kbkvx553kvcgx8337rqqwenvk976apa0r7mvda15gxzqxv7rs1833h5v

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments