ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ERNIE-Image文生图SKILL

v1.0.2

Generate images with ERNIE-Image. Use for image create requests incl. edits. Supports text-to-image ; - 1024x1024/1376x768/1264x848/ 1200x896/896x1200/848x12...

0· 82·0 current·0 all-time
by@livingbody

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for livingbody/ernie-image.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "ERNIE-Image文生图SKILL" (livingbody/ernie-image) from ClawHub.
Skill page: https://clawhub.ai/livingbody/ernie-image
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install ernie-image

ClawHub CLI

Package manager switcher

npx clawhub@latest install ernie-image
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the code: a Python wrapper that calls an OpenAI-compatible ERNIE-Image endpoint. However the skill metadata declares no required environment variables or primary credential, while the script and SKILL.md clearly expect an API key (ERNIE-Image_API_KEY / ERNIE_Image_API_KEY / BAIDU_API_KEY or --api-key). Also minor mismatches (arg help says 'Gemini API key', SKILL.md references different skill paths) indicate sloppy packaging but not obvious malicious intent.
Instruction Scope
SKILL.md and the script limit behavior to building a prompt, calling an external image-generation API, decoding base64, and writing a PNG to disk. There are no instructions to read unrelated system files, transmit arbitrary local files, or communicate with unexpected endpoints beyond the documented Baidu AI Studio endpoint. The skill explicitly warns about CLI exposure of keys and instructs where files are written.
Install Mechanism
No automated install spec is present (instruction-only + a Python script). The script requires the openai Python package (SKILL.md tells users to pip install openai). This is low-risk compared to remote download/installers. No obscure URLs or extracted archives are used.
Credentials
Requesting an API key to call ERNIE-Image is proportionate. However the registry metadata does not declare the required env vars or a primary credential while the code expects environment variables (multiple possible names). The script also allows passing the key on the command line (which it warns may leak via process listings). These inconsistencies reduce transparency and increase the chance of accidental credential exposure.
Persistence & Privilege
The skill is not marked always:true, has no install that modifies other skills or system configs, and doesn't request persistent elevated privileges. It only writes generated images to the user-specified path.
What to consider before installing
This skill is plausibly what it claims (a small Python client for Baidu ERNIE-Image) but has packaging/documentation inconsistencies you should address before installing. Things to check/do: 1) Confirm you have a valid Baidu ERNIE-Image API key and set it as a user-scoped environment variable (ERNIE-Image_API_KEY or ERNIE_Image_API_KEY or BAIDU_API_KEY) rather than passing via --api-key to avoid exposure in process listings. 2) Inspect the script (scripts/generate_image.py) yourself — it posts the prompt to the base_url https://aistudio.baidu.com/llm/lmapi/v3; verify that URL is the official endpoint you intend to use. 3) Be aware the registry metadata did not declare required env vars or a primary credential — treat that as a packaging omission. 4) Install the openai Python package in an isolated environment (venv) before running. 5) Note the minor mismatches (arg help says 'Gemini API key', SKILL.md path hints differ from DESIGN.md) — they are likely sloppy but review code to be comfortable. If you need higher assurance, request the publisher to update metadata to list required env vars and fix the documentation mismatches, or run the script in a sandboxed account/environment first.

Like a lobster shell, security has layers — review code before you run it.

latestvk970ny2pxqyvm9x8c5egyep5hd85hcqb
82downloads
0stars
3versions
Updated 3d ago
v1.0.2
MIT-0
@livingbody
latest
Download

ERNIE-ImageImage Generation & Editing

Generate new images or edit existing ones using Baidu's ERNIE-Image API.

Prerequisites

  • Clawdbot installed and configured

  • Need Install python openai sdk: pip instsall openai

API Key

The script checks for API key in this order:

Usage

Run the script using absolute path (do NOT cd to skill directory first):

Generate new image:

python ~/.codex/skills/ERNIE-Image/scripts/generate_image.py --prompt "your image description" --filename "output-name.png" [--resolution 1024*1024|1366*768] [--api-key KEY]

Important: Always run from the user's current working directory so images are saved where the user is working, not in the skill directory.

Resolution Options

ERNIE-Image API supports three resolutions (uppercase K required):

  • 1024x1024
  • 1376x768
  • 1264x848
  • 1200x896
  • 896x1200
  • 848x1264
  • 768x1376

Map user requests to API parameters:

  • No mention of resolution → 1024x1024
  • "low resolution", 1024x1024

If neither is available, the script exits with an error message.

Preflight + Common Failures (fast fixes)

  • Preflight:

    • test -n \"$ERNIE-Image_API_KEY\" (or pass --api-key)
    • If editing: test -f \"path/to/input.png\"

  • Common failures:

    • Error: No API key provided. → set ERNIE-Image_API_KEY or pass --api-key
    • “quota/permission/403” style API errors → wrong key, no access, or quota exceeded; try a different key/account

Filename Generation

Generate filenames with the pattern: yyyy-mm-dd-hh-mm-ss-name.png

Format: {timestamp}-{descriptive-name}.png

  • Timestamp: Current date/time in format yyyy-mm-dd-hh-mm-ss (24-hour format)
  • Name: Descriptive lowercase text with hyphens
  • Keep the descriptive part concise (1-5 words typically)
  • Use context from user's prompt or conversation
  • If unclear, use random identifier (e.g., x9k2, a7b3)

Examples:

  • Prompt "A serene Japanese garden" → 2025-11-23-14-23-05-japanese-garden.png
  • Prompt "sunset over mountains" → 2025-11-23-15-30-12-sunset-mountains.png
  • Prompt "create an image of a robot" → 2025-11-23-16-45-33-robot.png
  • Unclear context → 2025-11-23-17-12-48-x9k2.png

Prompt Handling

For generation: Pass user's image description as-is to --prompt. Only rework if clearly insufficient.

Preserve user's creative intent in both cases.

Prompt Templates (high hit-rate)

Use templates when the user is vague or when edits must be precise.

  • Generation template:
    • “Create an image of: <subject>. Style: <style>. Composition: <camera/shot>. Lighting: <lighting>. Background: <background>. Color palette: <palette>. Avoid: <list>.”

Output

  • Saves PNG to current directory (or specified path if filename includes directory)
  • Script outputs the full path to the generated image
  • Do not read the image back - just inform the user of the saved path

Examples

Generate new image:

python ~/.codex/skills/ERNIE-Image/scripts/generate_image.py --prompt "A serene Japanese garden with cherry blossoms" --filename "2025-11-23-14-23-05-japanese-garden.png" --resolution 1024*1024

References

Comments

Loading comments...