ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Alicloud Ai Image Qwen Image

Generate images with Model Studio DashScope SDK using Qwen Image generation models (qwen-image, qwen-image-plus, qwen-image-max and snapshots). Use when impl...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
2 · 1k · 2 current installs · 3 all-time installs
by@cinience
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's code and documentation clearly require a DASHSCOPE_API_KEY (and suggest ~/.alibabacloud/credentials), but the registry metadata claims no required environment variables or primary credential. Requiring that API key is reasonable for the described image-generation purpose, but the metadata omission is an inconsistency that could mislead users about what secrets are needed.
!
Instruction Scope
SKILL.md and the script stay within the stated image-generation purpose, but the runtime instructions and script explicitly load .env files (from cwd and repository root), read ~/.alibabacloud/credentials, and resolve and download arbitrary reference/image URLs. Loading repository .env and user credential files expands the surface (may pull unrelated secrets) and downloading image URLs returned by the service is network I/O beyond just calling the API.
Install Mechanism
No install spec is embedded; the README recommends pip installing the official-looking 'dashscope' package in a venv. There are no ad-hoc downloads or archive extracts in the skill itself.
!
Credentials
At runtime the skill needs DASHSCOPE_API_KEY (env or ~/.alibabacloud/credentials). The registry metadata did not declare this, so environment/credential requirements are under-declared. The script also loads .env files from cwd and repo root, which could cause unintended use of other secrets present in those files.
Persistence & Privilege
always is false and the skill does not request persistent or system-wide privileges or modify other skills. It only reads local config files and environment variables for the API key; autonomous invocation is allowed (default) but not excessive here.
What to consider before installing
Before installing or running this skill: 1) Expect to provide a DASHSCOPE_API_KEY (either via env var or ~ / .alibabacloud/credentials); the registry metadata currently omits this — ask the publisher to update it. 2) Review and clean any .env files in your current repo/root because the script loads them automatically and may pick up unrelated secrets. 3) Check ~/.alibabacloud/credentials for sensitive entries and ensure you’re comfortable with the skill reading that file. 4) Inspect the pip package 'dashscope' yourself (or install it in an isolated virtualenv) rather than installing globally. 5) Note the script downloads image URLs returned by the API (urllib.request.urlopen) — test in an isolated environment if you are concerned about fetching external content. 6) If you need higher assurance, request the publisher to (a) add DASHSCOPE_API_KEY to the skill manifest, (b) document exactly which files are read, and (c) offer an option to disable automatic .env/credentials loading.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.3
Download zip
latestvk97792s7kdx3ar0e6jaq2q0f6x82p7bp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Category: provider

Model Studio Qwen Image

Validation

mkdir -p output/alicloud-ai-image-qwen-image
python -m py_compile skills/ai/image/alicloud-ai-image-qwen-image/scripts/generate_image.py && echo "py_compile_ok" > output/alicloud-ai-image-qwen-image/validate.txt

Pass criteria: command exits 0 and output/alicloud-ai-image-qwen-image/validate.txt is generated.

Output And Evidence

  • Write generated image URLs, prompts, and metadata to output/alicloud-ai-image-qwen-image/.
  • Keep at least one sample JSON response per run.

Build consistent image generation behavior for the video-agent pipeline by standardizing image.generate inputs/outputs and using DashScope SDK (Python) with the exact model name.

Prerequisites

  • Install SDK (recommended in a venv to avoid PEP 668 limits):
python3 -m venv .venv
. .venv/bin/activate
python -m pip install dashscope
  • Set DASHSCOPE_API_KEY in your environment, or add dashscope_api_key to ~/.alibabacloud/credentials (env takes precedence).

Critical model names

Use one of these exact model strings:

  • qwen-image
  • qwen-image-plus
  • qwen-image-max
  • qwen-image-2.0
  • qwen-image-2.0-pro
  • qwen-image-max-2025-12-30
  • qwen-image-plus-2026-01-09

Normalized interface (image.generate)

Request

  • prompt (string, required)
  • negative_prompt (string, optional)
  • size (string, required) e.g. 1024*1024, 768*1024
  • style (string, optional)
  • seed (int, optional)
  • reference_image (string | bytes, optional)

Response

  • image_url (string)
  • width (int)
  • height (int)
  • seed (int)

Quickstart (normalized request + preview)

Minimal normalized request body:

{
  "prompt": "a cinematic portrait of a cyclist at dusk, soft rim light, shallow depth of field",
  "negative_prompt": "blurry, low quality, watermark",
  "size": "1024*1024",
  "seed": 1234
}

Preview workflow (download then open):

curl -L -o output/alicloud-ai-image-qwen-image/images/preview.png "<IMAGE_URL_FROM_RESPONSE>" && open output/alicloud-ai-image-qwen-image/images/preview.png

Local helper script (JSON request -> image file):

python skills/ai/image/alicloud-ai-image-qwen-image/scripts/generate_image.py \\
  --request '{"prompt":"a studio product photo of headphones","size":"1024*1024"}' \\
  --output output/alicloud-ai-image-qwen-image/images/headphones.png \\
  --print-response

Parameters at a glance

FieldRequiredNotes
promptyesDescribe a scene, not just keywords.
negative_promptnoBest-effort, may be ignored by backend.
sizeyesWxH format, e.g. 1024*1024, 768*1024.
stylenoOptional stylistic hint.
seednoUse for reproducibility when supported.
reference_imagenoURL/file/bytes, SDK-specific mapping.

Quick start (Python + DashScope SDK)

Use the DashScope SDK and map the normalized request into the SDK call. Note: For qwen-image-max, the DashScope SDK currently succeeds via ImageGeneration (messages-based) rather than ImageSynthesis. If the SDK version you are using expects a different field name for reference images, adapt the input mapping accordingly.

import os
from dashscope.aigc.image_generation import ImageGeneration

# Prefer env var for auth: export DASHSCOPE_API_KEY=...
# Or use ~/.alibabacloud/credentials with dashscope_api_key under [default].


def generate_image(req: dict) -> dict:
    messages = [
        {
            "role": "user",
            "content": [{"text": req["prompt"]}],
        }
    ]

    if req.get("reference_image"):
        # Some SDK versions accept {"image": <url|file|bytes>} in messages content.
        messages[0]["content"].insert(0, {"image": req["reference_image"]})

    response = ImageGeneration.call(
        model=req.get("model", "qwen-image-max"),
        messages=messages,
        size=req.get("size", "1024*1024"),
        api_key=os.getenv("DASHSCOPE_API_KEY"),
        # Pass through optional parameters if supported by the backend.
        negative_prompt=req.get("negative_prompt"),
        style=req.get("style"),
        seed=req.get("seed"),
    )

    # Response is a generation-style envelope; extract the first image URL.
    content = response.output["choices"][0]["message"]["content"]
    image_url = None
    for item in content:
        if isinstance(item, dict) and item.get("image"):
            image_url = item["image"]
            break
    return {
        "image_url": image_url,
        "width": response.usage.get("width"),
        "height": response.usage.get("height"),
        "seed": req.get("seed"),
    }

Error handling

ErrorLikely causeAction
401/403Missing or invalid DASHSCOPE_API_KEYCheck env var or ~/.alibabacloud/credentials, and access policy.
400Unsupported size or bad request shapeUse common WxH and validate fields.
429Rate limit or quotaRetry with backoff, or reduce concurrency.
5xxTransient backend errorsRetry with backoff once or twice.

Output location

  • Default output: output/alicloud-ai-image-qwen-image/images/
  • Override base dir with OUTPUT_DIR.

Operational guidance

  • Store the returned image in object storage and persist only the URL in metadata.
  • Cache results by (prompt, negative_prompt, size, seed, reference_image hash) to avoid duplicate costs.
  • Add retries for transient 429/5xx responses with exponential backoff.
  • Some backends ignore negative_prompt, style, or seed; treat them as best-effort inputs.
  • If the response contains no image URL, surface a clear error and retry once with a simplified prompt.

Size notes

  • Use WxH format (e.g. 1024*1024, 768*1024).
  • Prefer common sizes; unsupported sizes can return 400.

Anti-patterns

  • Do not invent model names or aliases; use official model IDs only.
  • Do not store large base64 blobs in DB rows; use object storage.
  • Do not omit user-visible progress for long generations.

Workflow

  1. Confirm user intent, region, identifiers, and whether the operation is read-only or mutating.
  2. Run one minimal read-only query first to verify connectivity and permissions.
  3. Execute the target operation with explicit parameters and bounded scope.
  4. Verify results and save output/evidence files.

References

  • See references/api_reference.md for a more detailed DashScope SDK mapping and response parsing tips.

  • See references/prompt-guide.md for prompt patterns and examples.

  • For edit workflows, use skills/ai/image/alicloud-ai-image-qwen-image-edit/.

  • Source list: references/sources.md

Files

6 total
Select a file
Select a file to preview.

Comments

Loading comments…