ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

dmxapi-image-recognition

v1.0.0

使用 DMXAPI 平台进行图像识别和理解。支持 Gemini 等多模态视觉模型。可进行图片描述、OCR文字识别、图表数据分析、物体检测、场景理解等任务。当用户需要识别图片内容、提取图片文字、分析图表、理解图像时使用此技能。

1· 87·0 current·0 all-time
bycryptonee.eth@onee-io
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md describes a CLI wrapper for DMXAPI (image description, OCR, chart analysis, etc.), which is coherent with the stated purpose. However the registry metadata claims no required binaries or env vars while the instructions explicitly require Node.js 20+, installing dmxapi-cli, and setting an API key — this mismatch is unexpected and incoherent.
!
Instruction Scope
Instructions tell the agent/user to convert local images to base64 and upload them (or pass remote URLs) to DMXAPI. That is expected for an image-recognition skill, but it also means local files (including PII like ID cards) will be transmitted off-machine. The SKILL.md does not ask to read other unrelated files or secrets, but it does instruct persistent CLI configuration of an API key.
!
Install Mechanism
There is no formal install spec in the registry, yet SKILL.md tells users to run `npm install -g dmxapi-cli`. A global npm install executes unvetted package install scripts and grants the package filesystem/exec capabilities on the host. Because the package and its origin are not validated in the metadata (no homepage/source provided), this raises installation risk.
!
Credentials
The registry lists no required environment variables or primary credential, but the runtime instructions require configuring an API key (`dmxapi config set apiKey sk-your-api-key`). That mismatch is problematic: the skill will store and use a service credential but does not declare it in metadata, preventing automated permission review. Requesting a single API key is reasonable for the described functionality, but it must be declared and verified.
!
Persistence & Privilege
The skill is not marked always:true and does not request elevated platform privileges. However, the CLI step `dmxapi config set apiKey ...` will persist the API key in the user's dmxapi CLI config (local persistence) and a global npm install will write files system-wide. These behaviors are normal for a CLI tool but were not declared in the registry metadata.
What to consider before installing
This skill looks like an instruction-only wrapper for the third-party 'dmxapi-cli', but its registry metadata omits important requirements. Before installing or using it: 1) Verify the dmxapi-cli package on npm (author, downloads, repository, install scripts) and confirm the DMXAPI service (https://www.dmxapi.cn/) is legitimate. 2) Do not upload sensitive images (ID cards, passports, medical records) until you trust the provider—the skill will send local images (base64) to an external API. 3) Prefer supplying a scoped API key with minimal privileges and remove it from local config when no longer needed; be aware `dmxapi config set` will persist the key locally. 4) If you need stronger assurance, request a version of the skill that declares its required env vars and install steps in registry metadata or one that uses an official, audited SDK/source repository. 5) If you cannot verify the npm package or service, avoid running `npm install -g` globally; consider running it inside an isolated VM/container for testing.

Like a lobster shell, security has layers — review code before you run it.

latestvk9711yt01fdbbyrp9dnrw8fydd83pdxb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments