Skillv1.1.4

ClawScan security

图像生成 / Image Generation · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 15, 2026, 1:26 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to implement Coze-based image generation as claimed, but its runtime instructions access a dependency's config (including an API key) and there are small metadata/config mismatches that aren't declared — you should confirm the dependency and credentials before installing.
Guidance: This skill generally does what it claims (call Coze workflows and save generated images), but before installing: 1) Confirm you have and trust the declared dependency 'coze-workflow' (inspect its code/config). 2) Be aware the skill will read ~/.openclaw/skills/coze_workflow/config.json to obtain an API key and base_url — the skill metadata does not list this credential, so ensure the stored key is intended to be used. 3) Verify the Coze API base URL (defaults to https://api.coze.cn) to avoid accidental calls to unexpected endpoints. 4) Note files will be saved under generated_images in the agent workspace; if that is undesirable, prepare a sandbox or cleanup policy. 5) The package metadata includes inconsistent version info and a placeholder workflow_id in config.json — resolve these before use. If you want higher assurance, inspect the coze_workflow skill and its config.json contents or restrict network/access while testing.

Review Dimensions

Purpose & Capability: noteThe name/description (Coze image generation using Seedream 4.5) matches the instructions which call Coze workflow endpoints. The skill correctly declares a dependency on coze-workflow. Minor inconsistencies: registry metadata lists v1.1.4 while the included _meta.json and SKILL.md show v1.1.3, and config.json contains a placeholder for workflow_id rather than a concrete value.
Instruction Scope: concernSKILL.md instructs the agent to read ~/.openclaw/skills/image_gen_coze/config.json and ~/.openclaw/skills/coze_workflow/config.json (to extract an API key and base_url), POST to the Coze API, parse streaming events, download image URLs, and save images to a ./generated_images directory. Reading the dependency's config (API key) and writing files to disk are in-scope for an image generation skill, but the skill metadata declared no required config paths or credentials — that's a mismatch and should be explicit. The instructions also perform network calls to the Coze API using the credential found in the dependency config.
Install Mechanism: okInstruction-only skill with no install spec and no code files. This is the lowest install risk (nothing is downloaded or executed by an installer).
Credentials: concernMetadata declares no required environment variables or credentials, but the runtime instructions explicitly read an API key from the coze_workflow config file (~/.openclaw/skills/coze_workflow/config.json). That implicit requirement (access to the dependency's API key) should be declared. The skill will make outbound requests using that key — verify you trust the coze_workflow skill and the key stored there.
Persistence & Privilege: okalways is false and the skill does not request elevated privileges. It writes generated images to a workspace-local ./generated_images directory (normal for this function) and does not modify other skills or system-wide settings.