ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Laozhangapi Image

v1.1.0

使用老张 API 生成和编辑图片,最低 $0.01/张。支持文生图、图片编辑、多图融合、多种比例。触发词:生成图片、画图、AI作图、文生图、图片编辑、换背景、风格转换、Sora生图。

0· 20·0 current·0 all-time
by@enihsago
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, SKILL.md, references/models.md, and the two scripts all consistently target 老张 API (https://api.laozhang.ai) for image generation and editing; functionality (text->image, edit, multi-image fusion, model choices, saving images) matches the stated purpose. However, registry metadata declares no required credentials while the runtime instructions and scripts explicitly require an API token file (~/.laozhang_api_token). This omission is inconsistent and should have been declared in requires.env/primary credential.
!
Instruction Scope
SKILL.md instructs users to create a token file in the home directory and the scripts read that file. The scripts send user prompts and any provided image URLs to the external API and will download returned image URLs (requests.get), saving to ~/Pictures/laozhang. That behavior is expected for this purpose but it means user-provided prompts/images and the resulting image downloads will be transmitted to/received from a third-party service. The instructions do not call out privacy/PII risks, nor do they document exactly what data is transmitted. The skill also downloads resources from returned URLs (possible remote-hosted content), which could expose the host to external content.
Install Mechanism
No install spec is provided (instruction-only with included scripts). The only runtime dependency is the requests Python package, which is noted in the scripts. No remote installers, archived downloads, or obscure external URLs are used by the skill files themselves. Risk from installation is low.
!
Credentials
The scripts require an API token stored at ~/.laozhang_api_token (and accept a --token override), which is proportionate to the skill's purpose. However, the registry metadata lists no required environment variables or primary credential — a mismatch. Additionally, the SKILL.md instructs storing the token in plaintext in the home directory without guidance on token scope/rotation, which increases the chance of accidental exposure. The skill will transmit prompts and user-supplied image URLs to a third-party service; if those contain sensitive information, that is relevant to the credential/data exposure risk.
Persistence & Privilege
The skill does not request permanent/always-on presence (always:false). It does write downloaded images into ~/Pictures/laozhang and reads a token file in the user's home; both are reasonable for this tool's functionality and confined to the user's home environment. It does not modify other skills or system-wide agent settings.
What to consider before installing
What to consider before installing/use: - Credential mismatch: The registry metadata does not declare any required credential, but the SKILL.md and scripts require an API token stored at ~/.laozhang_api_token (or passed with --token). Treat this as an oversight in metadata; do not assume the skill will work without providing a token. Prefer using a short-lived or low-privilege token when testing. - Data exposure: Using the skill sends your prompt text and any image URLs you provide to api.laozhang.ai. If prompts or images contain sensitive information, they will be transmitted to that third party. Review laozhang.ai's privacy terms before sending private data. - Token storage: The instructions suggest placing the token in plain text at ~/.laozhang_api_token. Consider storing tokens more securely (e.g., use a credential manager or environment variable with appropriate permissions) and avoid using production/highly privileged tokens until you trust the provider. - Downloaded content: The scripts will download returned image URLs and write files to ~/Pictures/laozhang. Downloaded content may come from remote hosts; if you run these scripts on servers with sensitive network access, be cautious (risk of unwanted external content or hosting-based attacks). Consider running locally or sandboxed. - Verify endpoints and costs: The API endpoint (https://api.laozhang.ai/v1/chat/completions) matches the docs referenced. Note the billed cost per image in the docs; test with a disposable account or small budget first to avoid unexpected charges. - Quick checks before use: (1) Inspect the scripts yourself (already included) to confirm no hidden endpoints — the scripts only call api.laozhang.ai and fetch returned URLs. (2) Run with a throwaway token to validate behavior. (3) If you need stricter guarantees, ask the publisher to update registry metadata to declare the required credential and provide explicit privacy/usage docs. Given the metadata omission and plaintext token storage instruction, proceed cautiously — the functionality is coherent with its stated purpose but the credential disclosure/metadata issue and third-party data transmission merit attention.

Like a lobster shell, security has layers — review code before you run it.

latestvk97aad9ybydeqp0vhbh9b0p2zx841ay3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

老张 API 图片生成

低成本高质量图片生成与编辑。

快速开始

1. 配置 Token

echo "sk-xxx" > ~/.laozhang_api_token

访问 老张 API 注册获取 token。新注册自动获得 $0.5 测试额度。

2. 文生图

# 默认模型(sora_image,$0.01/张,返回URL)
python scripts/generate_image.py "一只可爱的猫咪在花园里"

# 指定比例(仅 sora_image 支持)
python scripts/generate_image.py "夕阳海滩" --ratio 3:2

# 保存到本地
python scripts/generate_image.py "可爱小狗" --output dog.png

3. 图片编辑

# 基础编辑(默认 gpt-4o-image,$0.01/张)
python scripts/edit_image.py "https://example.com/cat.jpg" "把毛色改成彩虹色"

# 预设风格
python scripts/edit_image.py "https://example.com/photo.jpg" --style 卡通

# 多图融合
python scripts/edit_image.py "https://a.jpg,https://b.jpg" "融合两张图"

模型选择

用途推荐模型价格返回
文生图(默认)sora_image$0.01/张URL
图片编辑(默认)gpt-4o-image$0.01/张URL
高质量/4Kgemini-3-pro-image-preview$0.05/张base64
性价比gemini-2.5-flash-image$0.025/张base64

详细模型对比见 references/models.md

预设风格

卡通、油画、水墨、赛博朋克、素描、水彩

参数

generate_image.py

--model, -m    模型选择(默认: sora_image)
--ratio, -r    比例:2:3/3:2/1:1(仅 sora_image)
--output, -o   保存路径
--no-save      不保存,仅显示URL

edit_image.py

--model, -m    模型选择(默认: gpt-4o-image)
--style, -s    预设风格
--output, -o   保存路径
--no-save      不保存,仅显示URL

常见示例

examples/usage.md

注意

  • URL 返回的模型可直接发送到飞书
  • base64 返回的模型会自动保存到本地
  • 建议控制在 10 请求/分钟

Files

5 total
Select a file
Select a file to preview.

Comments

Loading comments…