ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

TS Images

通用图生图(OpenAI 风格)与 Gemini generateContent 文生图。Use when: 文生图、异步出图、Gemini 图像模型。

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 87 · 0 current installs · 0 all-time installs
bytianshu@wangshengli0421
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (image generation, Gemini generateContent) match the required secret (TS_TOKEN) and AIZNT_PROXY_URLS which provide the service endpoints. The code only implements HTTP calls to those endpoints and does not request unrelated credentials or binaries.
Instruction Scope
SKILL.md and scripts instruct the agent to POST JSON bodies (or read a local file via --body-file) to the URLs contained in AIZNT_PROXY_URLS. This is expected for a proxy-based image client, but it means whatever URLs are in AIZNT_PROXY_URLS will receive prompts and files — verify those endpoints are trusted. The script reads arbitrary local file paths only when the user passes --body-file (user-controlled).
Install Mechanism
No install spec or external downloads; the skill is instruction+bundled JS files only. Nothing is fetched or executed from third-party URLs at install time.
Credentials
Only two environment inputs are required: primaryEnv TS_TOKEN (auth token) and AIZNT_PROXY_URLS (JSON mapping of API endpoints). Both are directly used by the client and are proportionate to an API proxy client.
Persistence & Privilege
always:false (normal). The skill can be invoked autonomously (default), and because it uses a network token and sends data to configurable endpoints, autonomous invocation increases potential impact; consider limiting autonomous use if you cannot fully trust the token or endpoint config.
Assessment
This skill appears to be a straightforward client that forwards image-generation requests to endpoints defined in AIZNT_PROXY_URLS, authenticated with TS_TOKEN. Before installing: verify the origin of the TS_TOKEN and the contents of AIZNT_PROXY_URLS (ensure endpoints are official/trusted domains), avoid passing sensitive local files via --body-file unless you intend to upload them, and be aware that if the agent invokes this skill autonomously it can send prompts/files to the configured endpoints. If you cannot verify the proxy URLs or token source, do not install or restrict the skill from autonomous invocation and revoke the token if suspicious activity is observed.
scripts/client.js:3
Environment variable access combined with network send.
!
scripts/images.js:51
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
geminivk97f1va44d55fq0gkx4q5efvc983bbq8imagevk97f1va44d55fq0gkx4q5efvc983bbq8latestvk97f1va44d55fq0gkx4q5efvc983bbq8tianshuvk97f1va44d55fq0gkx4q5efvc983bbq8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvAIZNT_PROXY_URLS
Primary envTS_TOKEN

SKILL.md

图生图 (aiznt-images)

命令

node scripts/images.js sync --body '{"prompt":"...","model":"..."}'
node scripts/images.js async --body '{...}'
node scripts/images.js async-fetch --task-id <id>
node scripts/images.js generate-content --model gemini-3-pro-image-preview --body '{...}'

URL 键

  • v1_images_generations
  • v1_images_generations_async
  • v1_images_generations_async_fetch{task_id}
  • v1_models_generate_content{model}

配置同其它 aiznt-*:TsClaw「同步天树凭证」批量写入。

Files

5 total
Select a file
Select a file to preview.

Comments

Loading comments…