ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Imagen

v1.0.0

Genera imágenes con calidad cheap, medium, good o top usando OpenRouter y la configuración activa de OpenClaw. Guarda los archivos en el workspace actual del...

0· 76·3 current·3 all-time
by@perilla
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (image generation via OpenRouter) matches the primary credential (OPENROUTER_API_KEY) and the script calls openrouter.ai. Requiring python3 and agents.defaults.imageModel.primary is consistent with selecting model IDs. However, the script also attempts to locate OpenClaw config and auth-profiles files in the user's home directory as fallback sources for the API key, which is more filesystem access than callers might expect.
!
Instruction Scope
SKILL.md instructs the agent not to run pre-checks or inspect local files, yet the provided script itself reads ~/.openclaw/openclaw.json and auth-profiles.json (and will search those JSON blobs for strings matching sk-or- patterns). That means local config and credential files are read by the script at runtime even though those reads are not clearly declared in the human-facing instructions/metadata.
Install Mechanism
There is no remote install or package download; this is an instruction-only skill with an included Python script. No suspicious external installers or archive downloads are used.
!
Credentials
The declared primary credential (OPENROUTER_API_KEY) is appropriate. However, the script also honors OPENCLAW_CONFIG and OPENCLAW_AUTH_PROFILES environment variables (not declared in requires.env) and will search auth-profiles.json for any token-like strings starting with 'sk-or-'. That behavior can read additional local credential files and could surface keys the user didn't intend to expose to this skill.
Persistence & Privilege
The skill is not always-enabled and does not request permanent presence or system-wide configuration changes. It does not appear to modify other skills or global settings.
What to consider before installing
This skill largely does what it says (generate images via OpenRouter), but the bundled script will try to find an OpenRouter key by reading OpenClaw config and auth-profiles in your home directory if OPENROUTER_API_KEY is not set. If you install it: 1) Prefer setting OPENROUTER_API_KEY in the environment so the script won't search local config files; 2) Review ~/.openclaw/openclaw.json and ~/.openclaw/agents/*/agent/auth-profiles.json to ensure they don't contain unrelated secrets you don't want the skill to access; 3) Inspect the included scripts/gen_openrouter.py yourself (it is provided) before use; 4) Run the skill in a restricted workspace or sandbox if you are uncomfortable with it reading OpenClaw config files. If you need the skill but want to avoid file reads, ask the author to make config-file lookups optional or documented.

Like a lobster shell, security has layers — review code before you run it.

latestvk971xy015cwz0r2a8jnhnmep25838gpt

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🖼️ Clawdis
Binspython3
Configagents.defaults.imageModel.primary
Primary envOPENROUTER_API_KEY

Comments