ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

cs-free-image-generator-nv

v1.0.1

使用 NVIDIA MoCL 模型(via NVIDIA API Playground)进行免费文图生成(Text-to-Image)。当用户要求"生成图片"、"画一张图"、"text to image"、"文生图"时触发。

1· 71·0 current·0 all-time
byChenfeng@savior1987
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The Python script posts a prompt to an NVIDIA GenAI endpoint and saves the JSON response — this matches the skill's stated text-to-image purpose. However, the _meta.json ownerId ('savior1987') does not match the registry owner id shown in the metadata, which is unexpected and should be explained.
!
Instruction Scope
SKILL.md and the script only instruct calling NVIDIA's API and saving the response to /tmp. That scope is appropriate for the stated purpose. Concern: the SKILL.md instructs the user to set NVIDIA_API_KEY, but the registry metadata reported 'required env vars: none' — instructions reference an environment secret that is not declared in the registry metadata.
Install Mechanism
There is no install spec (instruction-only plus a script). That minimizes install risk, but the script depends on the 'requests' Python package which is not declared; runtime failures or implicit installation assumptions may occur. No external downloads or obscure URLs are used.
!
Credentials
The only sensitive item needed at runtime is an NVIDIA_API_KEY (used as a Bearer token), which is proportionate to the task. But the registry metadata does not list any required env vars while SKILL.md and the script both rely on NVIDIA_API_KEY — this metadata omission is an inconsistency that could hide required secrets or reflect sloppy packaging.
Persistence & Privilege
The skill does not request permanent presence (always:false), does not modify other skills or system-wide configs, and only writes output to /tmp/cs-free-image-generator/nv/. No elevated persistence or privilege requests were detected.
What to consider before installing
This skill appears to actually call NVIDIA's API for text-to-image, but there are packaging inconsistencies you should resolve before trusting it. Specifically: - Verify ownership: the included _meta.json ownerId ('savior1987') differs from the registry owner id; confirm the true publisher. - Confirm NVIDIA_API_KEY handling: SKILL.md and the script expect NVIDIA_API_KEY, but the registry metadata lists no required env vars. Expect to provide only an NVIDIA API key (not other unrelated credentials). The script does not abort if the key is missing (it will send an empty Bearer header), so ensure a valid key is set. - Dependency check: ensure the runtime has the 'requests' Python package installed or add an install declaration; otherwise the script will fail. - Review endpoint and privacy: the script sends your prompt (and resulting images) to https://ai.api.nvidia.com; if you will include sensitive or private prompts, be aware they will be transmitted to NVIDIA's service. - Run in an isolated environment first: test locally or in a sandbox, inspect the saved JSON in /tmp/cs-free-image-generator/nv/<ts>.json, and confirm the behavior matches expectations. If the publisher can correct the metadata (declare NVIDIA_API_KEY as a required env var and clarify ownership) and declare the 'requests' dependency, this would reduce the suspicious indicators.

Like a lobster shell, security has layers — review code before you run it.

latestvk97478jkm652mgrj60kwg2a1fh83rexf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments