Moyu Make Xhs Pics
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: moyu-make-xhs-pics Version: v1.0.2 The skill bundle is a legitimate tool designed to convert Markdown articles into social media images using the MiniMax and Alibaba DashScope (Aliyun) APIs. The code follows standard practices for API interaction, image processing with Pillow, and Markdown parsing. No evidence of data exfiltration, unauthorized file access, or malicious execution was found; the use of environment variables for API keys and the downloading of images to /tmp/ are consistent with the stated purpose of the tool (src/image_generator.py, scripts/generate.py).
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill may consume credits or quota on the configured image-generation account.
The skill reads provider API keys from environment variables to call MiniMax or DashScope. This is expected for an image-generation integration, but it gives the skill access to API account credentials.
self.api_key = os.getenv('MINIMAX_API_KEY') ... self.api_key = os.getenv('DASHSCOPE_API_KEY')Use provider keys intentionally, prefer a key with limited scope or quota, and revoke or rotate it if no longer needed.
If the Markdown article contains private or confidential content, parts of it may be sent to MiniMax or Alibaba DashScope.
Prompts generated from the Markdown article are submitted to external image-generation providers. This matches the stated purpose, but it means article text can leave the local environment.
payload = {"model": "image-01", "prompt": styled_prompt, ...}; response = requests.post(self.base_url, json=payload, headers=headers, timeout=120) ... ImageSynthesis.call(api_key=self.api_key, model="qwen-image", prompt=styled_prompt, ...)Only process Markdown files you are comfortable sharing with the selected provider, and review the provider’s privacy and retention terms.
Installation may depend on whatever package versions are current at install time.
The dependency list does not pin package versions, so a future install may pull newer package versions than the author tested. The packages are consistent with HTTP API calls and image processing.
requests dashscope Pillow
Install from a trusted environment, consider pinning dependency versions, and review package provenance before use.