Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
seedream5
v1.0.0使用 Seedream5.0 接口进行文生图与参考图生成。当用户提到“生成图片”“出图”“海报图”“封面图”“根据参考图生成”或要求指定分辨率与水印时,优先使用本 skill。调用接口 fzGenerateImg5,参数含 prompt(必填)、size(可选)、watermark(可选)、image(可选)。需...
⭐ 0· 63·0 current·0 all-time
bycmhan@runninghcm
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
SKILL.md and the scripts consistently implement an image-generation client that posts prompt/size/watermark/image to an API — this matches the stated purpose. However the implementation points to agent.mathmind.cn as the API host while the documentation references obtaining an x-api-key from kexiangai.com; the registry metadata declares no required credentials even though the skill requires an X_API_KEY. The mismatch between claimed provider names/domains and the missing credential declaration is inconsistent and unexplained.
Instruction Scope
Runtime instructions are narrowly scoped to collecting a prompt, validating parameters, reading an X_API_KEY (from a one-time persistent file or environment), calling the remote API, and returning results. They do not instruct reading arbitrary user files or other credentials. Still, the instructions explicitly read/write ~/.config/seedream5.0/.env and environment variable X_API_KEY — this behavior is not reflected in the registry metadata.
Install Mechanism
There is no install spec (lowest risk). The included scripts use curl and python3 to perform the network call and parse the response. The registry metadata did not declare required binaries (curl, python3), which is an omission but not necessarily malicious. No downloads from untrusted URLs or archive extraction are present.
Credentials
The skill requires a single API key (X_API_KEY) to operate, which is proportionate for an API client. However the registry metadata lists no required env vars or primary credential while the SKILL.md instructs persistent local storage of the key (~/.config/seedream5.0/.env) and environment variable usage. The guidance to obtain the key from kexiangai.com but to call agent.mathmind.cn is an unexplained mismatch and could indicate misconfiguration, proxying, or a third-party aggregator — you should verify the trustworthiness of those domains before storing secret keys.
Persistence & Privilege
The skill requests only local persistence of the API key in a per-user config file (~/.config/seedream5.0/.env). always:false and no system-wide or other-skills modifications are requested. Autonomous invocation is enabled by default (normal); that combined with the credential persistence increases blast radius if the key is compromised but is not itself unusual.
What to consider before installing
This skill is functionally coherent as an image-generation client, but there are important inconsistencies you should verify before use: (1) Confirm the real API host and key provider — the SKILL.md references kexiangai.com for keys but the scripts call agent.mathmind.cn. Make sure both domains are legitimate and you understand who will receive your requests. (2) The registry metadata omits required credential and binary declarations (the skill reads X_API_KEY and uses curl/python3); treat this as a packaging/omission issue. (3) If you proceed, avoid storing any high-value or reuse credentials; prefer a dedicated/test API key, inspect network traffic if possible, and verify the service's privacy/TOS. If you cannot independently confirm the endpoint and key vendor, do not store production/privileged keys in ~/.config/seedream5.0/.env.Like a lobster shell, security has layers — review code before you run it.
latestvk9743cderdkbnmxsgdy0ncqg0x844eta
License
MIT-0
Free to use, modify, and redistribute. No attribution required.