ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

NexPix — Cloudflare Image Generation

v1.0.0

AI image generation via Cloudflare Workers AI (free tier, FLUX models) with premium EvoLink fallback. Use when generating images from text prompts, creating...

0· 71·0 current·0 all-time
by@finndottllc-ui
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The SKILL.md and nexpix.js clearly require a Cloudflare Workers AI token (CF_WORKERS_AI_TOKEN or ACCESS/cloudflare-workers-ai.env) and optionally EVOLINK_API_KEY; however registry metadata lists no required env vars/credentials. Reading/writing under ~/.openclaw/workspace/ACCESS and a workspace tracking file is beyond what the registry summary indicated. The hard-coded CF_ACCOUNT_ID in the code (c52d61bc44ff08ef8c10e06bd007a27c) is unexpected and may route API calls to a third-party account instead of a user's account.
!
Instruction Scope
Runtime instructions and code read secret files from ACCESS/, read environment variables, perform outbound HTTPS requests to Cloudflare/EvoLink, save images to ~/.openclaw/media/, and log usage to workspace/notes/image-gen-tracking.json. SKILL.md explicitly tells the skill to print MEDIA:<absolute_path> to trigger OpenClaw auto-attach — that can cause generated images to be automatically uploaded/sent to active channels. These I/O and network actions are within image-generation purpose, but SKILL.md grants broad discretion (auto-fallbacks, quota checks) and the combination with auto-attach and secret-file access is sensitive.
Install Mechanism
There is no install spec (instruction-only), and included files are local JS and a small deploy script. The deploy script uses npx wrangler (standard) but doesn't download arbitrary archives or run obscure installers. Overall install risk is low, though code will be written to disk when the skill is installed.
!
Credentials
The skill actually requires a Cloudflare Workers AI token and optionally an EvoLink API key and reads them from env or ACCESS/*.env files, yet the metadata advertised no required env vars. The hard-coded CF_ACCOUNT_ID hardwires a specific Cloudflare account id, which is disproportionate and suspicious unless documented and intended. The skill will read secret files from ~/.openclaw/workspace/ACCESS, which is reasonable for a service token but should have been declared in metadata.
Persistence & Privilege
The skill does not set always:true and does not modify other skills. It writes tracking and media files into the user's home (~/.openclaw), which is expected for a media tool, and relies on OpenClaw's MEDIA: auto-attach behavior. Autonomous invocation is allowed (platform default); combined with the auto-attach behavior and secret access, this increases the blast radius if the skill is invoked automatically.
What to consider before installing
Things to verify before installing: - Metadata mismatch: the registry claimed no credentials, but SKILL.md and the code require a Cloudflare Workers AI token and optionally an EvoLink API key. Expect the skill to read those from CF_WORKERS_AI_TOKEN or ACCESS/cloudflare-workers-ai.env and ACCESS/evolink.env. If you don't want it reading files in ~/.openclaw/workspace/ACCESS, do not install or inspect code first. - Hard-coded Cloudflare account: nexpix.js contains a hard-coded CF_ACCOUNT_ID. Confirm whether you must replace it with your own account id; otherwise API calls may be directed to someone else's account (privacy/cost implications). - Auto-attach behavior: the skill prints MEDIA:<path> and saves images to ~/.openclaw/media/. OpenClaw will auto-attach/send those images to the active channel (Discord/Telegram). If automatic upload of generated images is undesirable, avoid enabling integration or modify the code to require explicit upload. - Secrets handling and permissions: store tokens with least privilege and check ACCESS/ files' permissions. Consider using environment variables instead of loose files in workspace if you prefer. - Unknown origin: no homepage and the repository/author are minimal; if you need higher assurance, review the full nexpix.js (the provided file was truncated in output) and any EvoLink endpoints to ensure no hidden endpoints or unexpected data exfiltration occur. - Test safely: run the skill in an isolated environment (throwaway account, container, or VM) and monitor outbound network traffic before giving it production credentials. If you want, I can (a) scan the remaining truncated part of nexpix.js for EvoLink calls and unexpected hosts, (b) produce a list of exact files/lines that read secrets or print MEDIA:, or (c) suggest minimal code edits to remove the hard-coded account id and make token requirements explicit.

Like a lobster shell, security has layers — review code before you run it.

latestvk974g6xdrnah74qtn5rv961pas83aa0q

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

NexPix — Cloudflare Image Generation

Two-tier image generation with intelligent routing. Free by default.

Quick Start

CLI

# Generate an image (free tier)
nexpix "a sunset over the ocean with sailboats"

# Specify size
nexpix "cyberpunk cityscape" --size 1024x768

# Premium quality (EvoLink fallback)
nexpix "product photo of a clay jar" --quality premium

# Force a specific route
nexpix "logo design" --route workers-ai
nexpix "4K wallpaper" --route evolink

# Check usage/quota
nexpix --status

Programmatic

const nexpix = require('./nexpix');

const result = await nexpix.generate({
  prompt: "a futuristic city at night",
  quality: "standard",   // standard | premium
  width: 1024,
  height: 1024,
});

console.log(result.filepath);  // local path to saved image
console.log(result.source);    // 'workers-ai' or 'evolink'
console.log(result.cost);      // 0 for free tier

Messaging Integration

Discord:  /canvas a mountain landscape at dawn
Telegram: /canvas a mountain landscape at dawn

See references/messaging-integration.md for slash command manifests.

Architecture

Routing Logic

  1. Standard quality → Cloudflare Workers AI (free, FLUX.1-schnell)
  2. Premium / 4K quality → EvoLink API (~$0.12-0.20/image)
  3. Image editing / img2img → EvoLink (Workers AI is text-only)
  4. Quota > 90% used → Auto-fallback to EvoLink
  5. Workers AI failure → Auto-fallback to EvoLink

Models (Workers AI — Free Tier)

ModelSpeedQualityKey
FLUX.1-schnell~1-3sGoodflux-schnell (default)
FLUX.2-dev~5-10sGreatflux-2-dev
Stable Diffusion XL~3-5sGoodsdxl
DreamShaper 8 LCM~2-4sGooddreamshaper

Pricing Tiers

TierCostLimitProvider
Free$0/month10K neurons/day (~50-100 images)Cloudflare Workers AI
Pro~$0.12-0.20/imageUnlimitedEvoLink API
EnterpriseCustomCustomSelf-hosted Workers

Requirements

  • Cloudflare account with Workers AI enabled
  • API token stored at ACCESS/cloudflare-workers-ai.env
  • Node.js 18+
  • Optional: EVOLINK_API_KEY for premium fallback

File Layout

FilePurpose
nexpix.jsCore module (routing, generation, tracking)
bin/nexpixCLI entry point
scripts/deploy-worker.shDeploy/update Cloudflare Worker
references/messaging-integration.mdDiscord + Telegram setup

Output

Images saved to ~/.openclaw/media/workers-ai/ (free) or ~/.openclaw/media/evolink/ (premium).

Print MEDIA:<absolute_path> for OpenClaw auto-attach.

Usage Tracking

All generations logged to notes/image-gen-tracking.json:

  • Daily neuron usage vs quota
  • Cost per image ($0 for free tier)
  • Cumulative savings vs paid alternatives
  • Generation history (last 500)

Check with nexpix --status or programmatically via nexpix.getStatus().

Installation

clawhub install nexpix

Files

5 total
Select a file
Select a file to preview.

Comments

Loading comments…