Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
uni-image
v1.0.0Unified multi-platform AI image generation. Supports Volcengine Seedream, Alibaba Qwen Image, and Google Gemini (Nano Banana). Switch between models with a d...
⭐ 0· 76·0 current·0 all-time
by以码悟道@sangjiexun
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The declared purpose (multi-provider image generation) matches the three API keys requested (Volcengine ARK, DashScope, Google), which is reasonable. However the SKILL.md lists implementation files (uni-image-proxy.js, uni-image-inject.js) and run instructions, but no code files are included in the package. That inconsistency suggests the published skill is incomplete or mispackaged.
Instruction Scope
Runtime instructions tell the agent/user to run a local Node-based HTTP proxy on port 18800 and state keys are stored at ~/.openclaw-dev/uni-image-config.json. The instructions therefore imply writing/reading local files and making network calls to provider APIs. Those actions are expected for a proxy, but the skill also declares required env vars while simultaneously describing a UI-based key storage — the behavior around how keys are supplied/used is ambiguous.
Install Mechanism
There is no install spec (instruction-only), which normally lowers risk. But the SKILL.md expects running node and local JS files; yet no binaries (node) are declared and the referenced JS files are missing. That mismatch is an integrity/problem-of-omission risk (the package is incomplete).
Credentials
Requested environment variables (ARK_API_KEY, DASHSCOPE_IMAGE_KEY, GOOGLE_API_KEY) are proportional to the stated multi-provider image generation function. The ambiguity: the skill requires these env vars but also instructs storing keys in a local JSON file and using a UI — it's unclear which is actually required at runtime.
Persistence & Privilege
The skill instructs storing API keys in ~/.openclaw-dev/uni-image-config.json, which creates persistent credentials on disk. The skill is not always-enabled and does not request elevated system privileges, but persistence of secrets on disk is a sensitive behavior and should be verified (inspect the code that writes/reads that file).
What to consider before installing
Do not install or run this skill yet. The package is missing the referenced JavaScript files and run-time declarations are inconsistent (it expects you to run node but 'node' is not declared and the code is not included). Before using: 1) Verify the source: visit the provided homepage repository and confirm the uni-image-proxy.js and uni-image-inject.js files exist and match the published package. 2) Inspect those scripts thoroughly to ensure they do not exfiltrate keys or send data to unexpected endpoints (check all network destinations and file writes). 3) Prefer setting provider keys as environment variables rather than pasting them into a UI you don't control; if the skill stores keys to ~/.openclaw-dev/uni-image-config.json, inspect that file's contents and access controls. 4) Confirm you trust the author and the code (or run it in a sandboxed environment) before supplying any API keys. If you can't inspect the missing code or the repo doesn't match, consider this package incomplete/untrustworthy.Like a lobster shell, security has layers — review code before you run it.
latestvk97cj7r28wvtbbvm42p4h1kdb183bz22
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🖼️ Clawdis
EnvARK_API_KEY, DASHSCOPE_IMAGE_KEY, GOOGLE_API_KEY
Primary envARK_API_KEY