TencentCloud Aiart TextToImage
v1.0.0Skill for Tencent Cloud HunYuan Text-to-Image Generation (混元生图). Provides AI image generation from text prompts using the HunYuan large model. Supports refer...
⭐ 0· 212·0 current·0 all-time
by败毒@neck-cn
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name, description, SKILL.md and included scripts all align: they submit and poll Tencent Cloud Aiart (HunYuan) async jobs. The capabilities requested by the code (calling aiart.tencentcloudapi.com) are appropriate for the stated purpose. However, the registry metadata lists no required environment variables while both SKILL.md and all scripts clearly require TENCENTCLOUD_SECRET_ID and TENCENTCLOUD_SECRET_KEY (and optionally TENCENTCLOUD_TOKEN). This metadata mismatch is inconsistent and worth flagging.
Instruction Scope
SKILL.md instructs the agent to run the included Python scripts automatically (zero-interaction) and explicitly states the agent must execute without asking the user for confirmation. The scripts read credentials from environment variables and perform network calls to Tencent Cloud. The instructions also mandate not asking the user before executing, which increases risk if the agent is invoked autonomously.
Install Mechanism
There is no install spec in the registry, but each script auto-installs the Python SDK by running pip install (subprocess.check_call). Auto-installing via pip is common but causes network activity (PyPI) and writes packages to the environment at runtime. No arbitrary URL downloads or obfuscated installers were found.
Credentials
The only secrets the code uses are Tencent Cloud API credentials (TENCENTCLOUD_SECRET_ID, TENCENTCLOUD_SECRET_KEY, optional TENCENTCLOUD_TOKEN), which are proportional to the stated purpose. The inconsistency is that the registry metadata declared no required env vars while the skill actually requires those credentials; that mismatch could lead to unexpected failures or surprise prompts.
Persistence & Privilege
The skill does not request permanent/always inclusion (always:false), does not modify other skills or system-wide configs, and does not persist credentials itself. The primary privilege concern is the SKILL.md's insistence on zero-interaction execution combined with autonomous invocation being allowed by default — this increases potential impact but is not by itself a malicious indicator.
What to consider before installing
This package implements Tencent Cloud's HunYuan text-to-image API and will work only if you supply TENCENTCLOUD_SECRET_ID and TENCENTCLOUD_SECRET_KEY in your environment. The registry record incorrectly lists no required env vars — confirm you are comfortable providing those credentials. Note the scripts will auto-install the Tencent Cloud Python SDK (pip) at runtime and will run network calls to aiart.tencentcloudapi.com; SKILL.md also instructs the agent to execute scripts without asking you first. If you plan to install/use this skill: (1) only provide credentials with the minimum permissions needed and monitor their use; (2) prefer running the scripts manually first to inspect behavior and logs; (3) consider running in an isolated environment if you want to avoid automatic pip installs or network access. If you need more assurance, ask the publisher to update registry metadata to declare required env vars and to document dependency installation more transparently.Like a lobster shell, security has layers — review code before you run it.
latestvk975gdp7x8qa30aap8gty6408982d4xw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.