LiblibAI
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If installed and configured, the skill can use your LiblibAI account and consume its available credits.
The skill uses LiblibAI account credentials to call the provider API, which is expected for the stated integration but gives the skill delegated account access.
this.accessKey = options.accessKey || process.env.LIBLIBAI_ACCESS_KEY; ... this.client = new LiblibAI({ apiKey: this.accessKey, apiSecret: this.secretKey, baseURL: this.baseURL })Use a dedicated API key if possible, keep the secret key private, and revoke or rotate the key if you stop using the skill.
Images or files selected for upload may leave your machine and be processed by LiblibAI.
The upload command reads a user-specified local file and sends it to the LiblibAI API, which is consistent with image-to-image and reference-image workflows but involves transferring local content to an external provider.
const fileBuffer = fs.readFileSync(file); ... const uploadResult = await client.uploadFile(fileBuffer, filename);
Only upload files you are comfortable sending to the provider, and avoid private, regulated, or confidential images unless LiblibAI’s terms meet your needs.
Repeated or batch image generation can consume paid LiblibAI credits.
The documentation discloses that generation consumes credits and includes batch/concurrent generation examples, which are purpose-aligned but can spend account resources quickly if used without supervision.
每次生成消耗 2-5 积分 ... for product in "咖啡杯" "笔记本" "耳机"; do ./bin/cli.js text2img ... & done
Confirm large, high-resolution, or batch generation requests before running them, especially in automated workflows.
Installing or running the skill relies on third-party npm packages in addition to the reviewed local wrapper code.
The skill depends on external npm packages; this is normal for a Node-based API wrapper, and the provided lockfile includes resolved package integrity values.
"dependencies": { "commander": "^14.0.3", "liblibai": "^0.0.11" }Install from trusted package sources and prefer the provided lockfile or a pinned dependency review process.