Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
aliyun-image
v1.1.0阿里云百炼图像生成、编辑与翻译。文生图:根据文本生成图像,支持复杂文字渲染。图像编辑:单图编辑、多图融合、风格迁移、物体增删。图像翻译:翻译图像中的文字,保留原始排版,支持11种源语言和14种目标语言。触发词:生成图片、AI作画、文生图、图像编辑、修图、换背景、风格迁移、多图融合、图像翻译、图片翻译。模型:qwen-image-plus(默认)、qwen-image-max、qwen-image-edit-plus(默认)、qwen-image-edit-max、qwen-mt-image。
⭐ 1· 1.1k·7 current·7 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description, docs, and client code all target Aliyun DashScope image APIs (generation, edit, translate) and use endpoints under dashscope.aliyuncs.com — that part is coherent. However, registry metadata lists no required environment variables or primary credential, while SKILL.md/README/scripts clearly require DASHSCOPE_API_KEY. The skill's Source/Homepage are marked unknown/none despite repository links inside SKILL.md/README, which is an inconsistency in provenance information.
Instruction Scope
Runtime instructions and code show normal API usage: POST to DashScope endpoints, async task polling, and optional local-file-to-base64 encoding for uploads. The instructions do not ask the agent to read unrelated system files or secrets. Important behavior: the client will read local image files (if given) and encode+upload them, and will download generated images, which is expected for image-edit/translate but carries privacy implications.
Install Mechanism
No install spec (instruction-only) which minimizes installer risk. There is nevertheless a client.py bundled in the package; no install steps are provided to add system binaries. This is consistent with an instruction-only skill but it's worth noting code files are present even though no installation is declared.
Credentials
The skill requires a single API key (DASHSCOPE_API_KEY) according to SKILL.md/README/scripts, which is proportionate to the described cloud API usage. However the declared registry requirements list no env vars or primary credential — a clear mismatch. The client only uses that single key (no unrelated credentials), so the requested privilege is limited but the omission in metadata is a red flag.
Persistence & Privilege
always:false and default invocation settings; no persistent or elevated privileges are requested. The skill does not modify other skills or system-wide configs. Autonomous invocation is allowed (platform default) but not combined with other high-risk flags.
What to consider before installing
This package appears to implement Aliyun DashScope image APIs and will work if you provide a DASHSCOPE_API_KEY, but the public metadata omitted that required environment variable and the homepage/source fields are incomplete. Before installing: 1) Verify the upstream repository (the SKILL.md points to a GitHub URL) and inspect its commits and issues to confirm legitimacy. 2) Supply a least-privilege API key (create a key with only the needed AIGC scopes) and avoid using broader account keys. 3) Remember local files you pass to the client may be uploaded to Aliyun — don't send sensitive images. 4) Test in an isolated environment first and monitor network requests (ensure calls go to dashscope.aliyuncs.com). If the missing DASHSCOPE_API_KEY declaration or absent homepage concerns you, ask the publisher to correct the metadata before proceeding.Like a lobster shell, security has layers — review code before you run it.
latestvk971hgyvmd2jxt91g68sva3v71812af3
License
MIT-0
Free to use, modify, and redistribute. No attribution required.