tl-aliyun-image-generator
v1.0.0【专属触发指令:千问画个图】调用阿里云通义万相生成高质量图片。仅当用户的指令以“千问画个图”开头时,才允许路由到此技能。
⭐ 0· 102·0 current·0 all-time
bywangliangyi@roykingw
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the included code and instructions: the skill runs a local Python script that calls an Aliyun text-to-image endpoint. No unrelated binaries or cloud credentials are requested up front.
Instruction Scope
SKILL.md explicitly instructs the agent to prompt users to paste their Aliyun API Key into the chat (plaintext) when the script prints [NEED_KEY]. That grants the skill broad ability to solicit sensitive secrets from users and does not suggest a secure input mechanism. It also tells the agent to run a local script and report a local file path back to the user — acceptable for the purpose, but combined with secret solicitation this expands risk.
Install Mechanism
There is no installer spec, but the included script will auto-install the 'requests' package at runtime by invoking pip (subprocess). Runtime pip installs are common but carry risk (network fetching, arbitrary code execution during install) and the script does not pin versions or validate the environment.
Credentials
The skill requests the user's Aliyun API Key by instructing the agent to ask users to paste keys (sk-...). The script then saves the key unencrypted to a local file (.aliyun_key) in the skill directory. Asking for and persisting a plaintext secret via chat is disproportionate given safer alternatives (secure secret input, environment variables, or encrypted storage).
Persistence & Privilege
The script persists the API Key permanently to a local hidden file in the skill folder and will delete it if the key is rejected. It does not request 'always: true' nor modify other skills, but permanent local storage of secrets is a persistence behavior users should be aware of.
What to consider before installing
This skill appears to perform Aliyun image generation as described, but it instructs the agent to ask users to paste their Aliyun API Key into the chat and the bundled script saves that key in plaintext to a local file (.aliyun_key). Before installing or using it, consider: 1) Do not paste production or high-privilege API keys into chat — create a scoped/test key for this purpose that you can revoke. 2) Review the script code (already included) and be aware it will auto-install Python packages via pip at runtime. 3) If you must use it, run the skill in a sandboxed environment or a throwaway account, set restrictive file permissions on the saved key, and consider manually placing the key in a secure location (or editing the script to read from a safe secret store) instead of sending it through chat. 4) If you are uncomfortable with plaintext storage or chat-based secret input, do not install the skill or modify it to use an environment variable or encrypted storage for the API key.Like a lobster shell, security has layers — review code before you run it.
Runtime requirements
🎓 Clawdis
latest
Aliyun Image Generator
🚨 严格触发条件: 你必须且只能在用户的输入明确包含或以 “千问画个图:” 或 “千问画个图” 开头时,才触发并使用本技能。 如果用户只是说“画个图”或“生成图片”而没有带上“千问”字眼,请勿使用本技能(请使用你系统默认的画图工具)。
工作流程
- 创意扩写:将用户的简短提示扩写为 50-100 字的详细画面描述。
- 执行生成:调用本地 Python 脚本。
命令格式
默认调用格式(如果已经配置过 Key):
python3 scripts/generate_image.py "你扩写后的详细画面描述"
【重要:API Key 处理逻辑】 如果你执行上述命令后,终端返回 [NEED_KEY] 的错误信息,说明本地尚未配置阿里云 API Key。 此时,你必须:
中断画图任务,在聊天中礼貌地回复:“我需要您的阿里云百炼 API Key 才能使用通义万相为您画图。请直接将 Key 发送给我(以 sk- 开头)。” 当用户回复了 API Key 后,使用带 Key 的命令重新执行:
python3 scripts/generate_image.py "你扩写后的详细画面描述" "sk-xxxxxxxxxxxx"
(注:Python 脚本接收到后会自动将其永久保存到本地,下次就不需要再传了)
结果反馈
脚本执行完成后,会输出图片的本地保存路径(如 downloads/generated_img_xxx.png)。 请直接将这个文件路径和名称告诉用户。
Comments
Loading comments...