ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ModelScope AI Image Generator

v1.0.0

魔搭(ModelScope)AI 图片生成。支持多种模型、LoRA 微调。触发词:生成图片、AI绘画、文生图、image generation、generate image。当用户要求生成图片、画图、AI 作画,或提到魔搭、ModelScope、通义万象时使用。

0· 89·1 current·1 all-time
by@netyingxiao
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to be a ModelScope image generator and the code/SKILL.md implement that exactly (calls ModelScope inference endpoints, supports LoRA). However, the registry metadata lists no required environment variables or primary credential while both the script and SKILL.md require an API key (MODELSCOPE_API_KEY or config file). That mismatch is an incoherence in the manifest.
Instruction Scope
SKILL.md and the script stay within the stated purpose: they instruct how to supply an API key, call ModelScope endpoints, poll for task completion, download the generated image and save it locally. There is no instruction to read unrelated system state or transmit unrelated data.
Install Mechanism
There is no install spec (instruction-only), which reduces risk. The package includes a Python script that requires requests and pillow (noted in SKILL.md). No external archives or obscure download URLs are used. The presence of an executable script without an install step is acceptable but SKILL metadata could list these dependencies.
!
Credentials
The script expects an API key via CLI/env/config (~/.modelscope/api_key) and can save that key to a local file. Requesting a single ModelScope API credential is proportionate to the stated purpose, but the skill metadata does not declare it (missing required env/primary credential). The ability to write the API key to ~/.modelscope/api_key should be noted by users.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or global agent settings. It does write a per-user config file (~/.modelscope/api_key) when asked to save a key, which is expected behavior for a CLI client.
What to consider before installing
This skill's behavior is consistent with a ModelScope image generator, but the registry metadata omitted the API-key requirement. Before installing, review the included scripts/generate.py yourself and confirm you trust the source. If you use it, provide a dedicated ModelScope API key (avoid using any high-privilege or shared keys), and consider running the script in an isolated environment. Note that the script can save the key to ~/.modelscope/api_key — verify the file path and permissions, and remove the file if you later revoke the key. Finally, install the minimal dependencies (requests, pillow) and prefer passing the key via CLI or an ephemeral environment variable rather than storing it permanently if you have concerns.

Like a lobster shell, security has layers — review code before you run it.

latestvk977493fms23z1c4yb981ax11n83jhd2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments