ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

the ai painting interface of suichuang api

v1.0.0

Generate images using NanaBanana 2 for daily needs or switch to NanaBanana Pro for high-quality, realistic, or final draft artwork.

0· 225·0 current·0 all-time
by@riage
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated purpose (generate images via NanaBanana 2/Pro) matches the instructions which call an external API (https://api.wuyinkeji.com). However, the skill metadata declares no required environment variables or primary credential while the instructions repeatedly require 'your key' (Authorization header, JSON body field, and URL query param). A legitimate API-integration skill would normally declare a required API key (primaryEnv) and document where to provide it.
!
Instruction Scope
SKILL.md is prescriptive and bounded to image-generation endpoints and polling logic (POST submit, GET poll every 3s up to 20 times). However it also instructs the agent to place the API key interchangeably in headers, JSON body, or URL query parameter. Placing secrets in URL query parameters is a risky practice (exposes keys in logs, referers). The instructions do not specify how the agent should obtain the key (no declared env var or config location), leaving ambiguity about credential sourcing and handling.
Install Mechanism
No install spec and no code files — instruction-only skill. This minimizes filesystem/install risk because nothing is downloaded or executed by an installer.
!
Credentials
The functionality legitimately requires an API key, but requires.env and primary credential are both empty in metadata. This mismatch is disproportionate: the skill expects a secret but doesn't declare it. The instructions encourage unsafe placement of the key (URL/body) rather than recommending a secure, declared environment variable.
Persistence & Privilege
always:false and no special config paths or system modifications. The skill can be invoked autonomously (default), which is standard for skills; there is no evidence it requests permanent elevated presence.
What to consider before installing
This skill appears to be a simple API wrapper for an external image service, but the metadata fails to declare the API key it expects and the instructions recommend putting the key in headers, body, or URL (URLs are unsafe). Before installing, verify the service and author (no homepage provided), ask the author to: (1) declare a primaryEnv for the API key so you can provide it securely, (2) recommend using an Authorization header or environment variable instead of URL query params, and (3) provide a homepage or documentation and privacy/terms. If you proceed, supply the key only via a secure agent-secret/env mechanism (not URL query), and avoid giving the key if you do not trust the api.wuyinkeji.com domain or the skill owner.

Like a lobster shell, security has layers — review code before you run it.

latestvk97abxcy2cn6x0177ts1q5ba2982t2tx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments