ClawHub

Qwen Vision

v0.1.0

Analyze images and videos using Qwen Vision API (Alibaba Cloud DashScope). Supports image understanding, OCR, visual reasoning.

0· 637·2 current·2 all-time
by@perchouli
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the actual behavior: the included script base64-encodes an image and posts it to DashScope's Qwen Vision endpoint. The only required binary is python3, which is reasonable.
Instruction Scope
SKILL.md instructs running the shipped script and documents possible locations to obtain the API key (including ~/.openclaw/openclaw.json or DASHSCOPE_API_KEY). The runtime script itself, however, requires an --api-key argument and does not read those config paths or environment variables. The instructions do not direct reading unrelated files or exfiltrating system data.
Install Mechanism
No install spec or remote downloads are present; this is an instruction-only skill with a small included script. Nothing is fetched from external/untrusted URLs during install.
Credentials
The skill legitimately requires a DashScope API key. Registry metadata lists no required env vars, but SKILL.md suggests DASHSCOPE_API_KEY or ~/.openclaw config as sources; the script actually requires an explicit --api-key. This is an implementation/documentation mismatch but the credential requested is proportional to the skill's function.
Persistence & Privilege
Skill is not always-enabled, does not request persistent or elevated system privileges, and does not modify other skills or system-wide configuration.
Assessment
This skill sends your image (base64-encoded) and prompt to Alibaba Cloud DashScope (Qwen Vision) — you'll need a valid API key. Confirm you trust the external service before sending sensitive images. Note a small mismatch: documentation suggests the key can be read from ~/.openclaw/openclaw.json or DASHSCOPE_API_KEY, but the bundled script requires --api-key (it doesn't auto-read those locations). If you want the convenience of env/config lookup, verify or modify the script yourself. Otherwise, review where you store the API key and avoid passing it in shells or logs if you need secrecy. Lastly, since the skill transmits image data externally, ensure this aligns with your privacy/compliance requirements.

Like a lobster shell, security has layers — review code before you run it.

latestvk978drfajk46fc89ds4bfcjyzd83fdan

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

👁️ Clawdis
Binspython3

Comments