ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Aliyun Qwen Image Edit

v1.0.0

Use when editing images with Alibaba Cloud Model Studio Qwen Image Edit models (qwen-image-edit, qwen-image-edit-plus, qwen-image-edit-max, qwen-image-2.0 se...

0· 12·0 current·0 all-time
by@cinience
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's name, description, and code (prepare_edit_request.py) match an image-edit helper for Alibaba Cloud Qwen models. However, the SKILL.md explicitly instructs the user to set DASHSCOPE_API_KEY or add an entry to ~/.alibabacloud/credentials so the SDK can authenticate. The registry metadata declares no required env vars or config paths. That mismatch between claimed requirements and actual instructions is unexpected and concerning.
!
Instruction Scope
SKILL.md instructs creating a virtualenv and installing the 'dashscope' SDK and to provide DASHSCOPE_API_KEY or credentials in ~/.alibabacloud/credentials. The included script itself only prepares JSON and does not read environment variables, but the runtime workflow clearly expects the agent or operator to supply cloud credentials and call cloud APIs. The instructions also direct saving request/response artifacts to output/..., and suggest storing assets in object storage. The skill's instructions therefore access credentials and filesystem locations that are not declared in metadata — scope creep and a documentation/metadata coherence issue.
Install Mechanism
There is no formal install spec in the registry (instruction-only). The SKILL.md tells operators to pip install 'dashscope' in a venv. This is a normal approach for Python helpers but is not enforced by the registry metadata; the package origin (dashscope on PyPI or elsewhere) should be verified before installation. No downloads from arbitrary URLs or extract/install steps are present.
!
Credentials
The runtime docs require DASHSCOPE_API_KEY or entries in ~/.alibabacloud/credentials, yet the skill metadata lists no required environment variables or config paths and has no primary credential declared. Requesting cloud API keys is reasonable for an Alibaba Cloud integration, but the omission from the metadata is a significant inconsistency. Users need explicit, minimal credential requirements declared (and guidance about required IAM permissions).
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. Autonomous invocation is allowed by default (disable-model-invocation is false), which is normal. Combined with the credential requirement (from SKILL.md), autonomous invocation increases potential blast radius, so confirm the agent's allowed behaviors and credential scope before enabling autonomous runs.
What to consider before installing
Do not install or run this skill until the author clears up the mismatches. Specifically: (1) The SKILL.md requires DASHSCOPE_API_KEY or ~/.alibabacloud/credentials, but the registry metadata declares no required env vars or config paths — ask the publisher to update metadata to declare these credentials and explain required IAM permissions. (2) Verify the 'dashscope' package origin (PyPI vs. other) and review it before pip installing in a sandboxed venv. (3) Provide only a least-privilege API key for testing, preferably a temporary/service account key restricted to the minimal Model Studio actions needed. (4) Run the validation command (py_compile and the prepare script) in an isolated environment and inspect network calls while exercising the skill to confirm it only talks to Alibaba Cloud endpoints. (5) If you intend to allow autonomous agent invocation, ensure the agent's policies and credential scopes prevent data exfiltration and limit modifications. If the publisher cannot justify the missing metadata or provide a trustworthy homepage/source, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk97823tfpgjn8rbn6df7h9h1ed8417cx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Category: provider

Model Studio Qwen Image Edit

Validation

mkdir -p output/aliyun-qwen-image-edit
python -m py_compile skills/ai/image/aliyun-qwen-image-edit/scripts/prepare_edit_request.py && echo "py_compile_ok" > output/aliyun-qwen-image-edit/validate.txt

Pass criteria: command exits 0 and output/aliyun-qwen-image-edit/validate.txt is generated.

Output And Evidence

  • Save edit request payloads, result URLs, and model parameters under output/aliyun-qwen-image-edit/.
  • Keep one sample request/response pair for reproducibility.

Use Qwen Image Edit models for instruction-based image editing instead of text-to-image generation.

Critical model names

Use one of these exact model strings:

  • qwen-image-edit
  • qwen-image-edit-plus
  • qwen-image-edit-max
  • qwen-image-2.0
  • qwen-image-2.0-pro
  • qwen-image-2.0-2026-03-03
  • qwen-image-2.0-pro-2026-03-03
  • qwen-image-edit-plus-2025-12-15
  • qwen-image-edit-max-2026-01-16

Prerequisites

  • Install SDK in a virtual environment:
python3 -m venv .venv
. .venv/bin/activate
python -m pip install dashscope
  • Set DASHSCOPE_API_KEY in your environment, or add dashscope_api_key to ~/.alibabacloud/credentials.

Normalized interface (image.edit)

Request

  • prompt (string, required)
  • image (string | bytes, required) source image URL/path/bytes
  • mask (string | bytes, optional) inpaint region mask
  • size (string, optional) e.g. 1024*1024
  • seed (int, optional)

Response

  • image_url (string)
  • seed (int)
  • request_id (string)

Operational guidance

  • Keep prompts task-oriented: describe what to change and what to preserve.
  • Use masks for deterministic local edits.
  • Save output assets to object storage and persist only URLs.
  • For subject consistency, provide explicit constraints in prompt.

Local helper script

Prepare a normalized request JSON and validate response schema:

.venv/bin/python skills/ai/image/aliyun-qwen-image-edit/scripts/prepare_edit_request.py \
  --prompt "Replace the sky with sunset, keep buildings unchanged" \
  --image "https://example.com/input.png"

Output location

  • Default output: output/aliyun-qwen-image-edit/images/
  • Override base dir with OUTPUT_DIR.

Workflow

  1. Confirm user intent, region, identifiers, and whether the operation is read-only or mutating.
  2. Run one minimal read-only query first to verify connectivity and permissions.
  3. Execute the target operation with explicit parameters and bounded scope.
  4. Verify results and save output/evidence files.

References

  • references/sources.md

Files

4 total
Select a file
Select a file to preview.

Comments

Loading comments…