Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
dmxapi-image-generation
v1.0.1使用 DMXAPI 平台生成和编辑图片。支持 Gemini、Seedream(豆包即梦)、OpenAI 等多种模型。可进行文生图、图片编辑、多图融合、联网搜索增强生图。当用户需要生成图片、编辑图片、AI 绘图、多图融合时使用此技能。
⭐ 1· 115·1 current·1 all-time
bycryptonee.eth@onee-io
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes a DMXAPI CLI workflow (generate/edit images, local image input, web-search enhancement) that is coherent with the skill's stated purpose. However the registry metadata lists no required binaries or environment, while the SKILL.md explicitly requires Node.js 20+ and dmxapi-cli. That mismatch (metadata claims no requirements but the instructions require installing a global npm package and Node.js) is an incoherence.
Instruction Scope
The runtime instructions stay within the stated image-generation purpose: they tell the agent/user to install dmxapi-cli, set an API key via the CLI, run dmxapi image commands, read local image files passed with --image, and save outputs. The web-search option implies network requests for search/data enrichment, which is expected for the feature. Instructions do not ask for unrelated system files or multiple unrelated credentials.
Install Mechanism
There is no formal install spec in the registry; the SKILL.md directs users to run npm install -g dmxapi-cli (global npm install). Installing a global npm package is a moderate-risk operation because it executes third-party code on the host. The skill provides no publisher/homepage or checksum to verify the package, and the registry metadata lacks a declared install mechanism — this is disproportionate and should be verified (check npm package ownership, repository, and release provenance).
Credentials
The skill declares no required environment variables, but the instructions require configuring an API key via 'dmxapi config set apiKey sk-your-api-key'. That is a sensitive credential and should be declared in metadata (primaryEnv) so users know what will be required and stored. The SKILL.md implies storage of the API key in the CLI's config; the skill metadata gives no guidance about where the key is stored or whether it is transmitted elsewhere.
Persistence & Privilege
The skill is user-invocable, not always-included, and does not request modification of other skills or global agent settings. There is no indication the skill asks the agent to persist beyond its own commands. This is appropriate for an instruction-only CLI integration.
What to consider before installing
Before installing or using this skill: 1) Verify the dmxapi-cli npm package and its publisher (check npm page, repository, and GitHub repo/commits) to ensure you trust the code you will install globally. 2) Confirm where the CLI stores the API key (local config file, plaintext) and consider using a dedicated key with limited scope. 3) Ask the skill author to update registry metadata to declare Node.js and the API key requirement (primaryEnv) and to provide a homepage/repo link and install spec. 4) If possible, run the CLI in a sandboxed environment or container first rather than installing globally. 5) Do not reuse sensitive credentials (AWS, GitHub, etc.) with this tool unless you have verified its provenance. Providing the repository URL, package checksum, or a verified homepage would increase confidence.Like a lobster shell, security has layers — review code before you run it.
latestvk9743mjxzp1e2n7xstbfnhja1h83m3d9
License
MIT-0
Free to use, modify, and redistribute. No attribution required.