Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Qwen Image
v1.0.0Generate images using Qwen Image API (Alibaba Cloud DashScope). Use when users request image generation with Chinese prompts or need high-quality AI-generated images from text descriptions.
⭐ 7· 7.9k·108 current·113 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name, description, and included script all implement Qwen Image generation via DashScope (requests to dashscope.aliyuncs.com with a Bearer token). Requiring the 'uv' runner is consistent with the SKILL.md usage. However, the SKILL.md instructs the agent to read ~/.openclaw/openclaw.json for API keys but the skill metadata does not declare any required config paths or primary credential — this mismatch should be clarified.
Instruction Scope
Runtime instructions direct the agent to search for API keys in ~/.openclaw/openclaw.json (models.providers.bailian.apiKey or skills."qwen-image".apiKey) or the DASHSCOPE_API_KEY env var. Reading the user's OpenClaw config is relevant for obtaining a stored API key, but it is not declared in the manifest and could expose other stored keys if the agent reads the full file. Otherwise, the SKILL.md stays within the image-generation task (extract MEDIA_URL line, do not download unless asked).
Install Mechanism
The install uses a Homebrew formula 'uv' which matches the declared required binary and is a low-risk, standard install method. However, the Python script depends on the 'requests' package (commented in the file) but there is no install specification to install Python dependencies; that will cause runtime failures unless the environment already has the dependency. No high-risk external download URLs are used.
Credentials
The manifest lists no required environment variables or primary credential, yet both SKILL.md and the script expect an API key via DASHSCOPE_API_KEY or an entry in ~/.openclaw/openclaw.json. The skill could read user configuration to locate keys; this access should be declared explicitly. Also verify that the agent will only read the specific field (models.providers.bailian.apiKey or skills."qwen-image".apiKey) rather than scanning the entire config for other secrets.
Persistence & Privilege
The skill does not request permanent presence (always:false) and does not modify other skills or system configuration. It prints URLs or saves files only when explicitly asked. No privileged persistence behavior was detected.
What to consider before installing
This skill appears to implement Qwen Image generation and talks to the DashScope API, but there are a few things to check before installing: 1) Confirm you are comfortable the agent will read ~/.openclaw/openclaw.json for the API key — ask the author to explicitly declare that config path and to state exactly which JSON fields will be accessed (so it doesn't scan for other secrets). 2) Prefer setting a dedicated DASHSCOPE_API_KEY environment variable (not a general-purpose secret) to limit exposure. 3) Ensure the runtime environment has Python 3.10+ and the 'requests' package, or ask the author to add a pip install step to the install spec. 4) The install uses the Homebrew 'uv' formula — verify this formula is the expected one in your environment. 5) If you need stronger isolation, run the script in a sandboxed environment or with a scoped API key. If the author can update the manifest to declare required config paths/env vars and include Python dependencies, the remaining concerns will be reduced.Like a lobster shell, security has layers — review code before you run it.
latestvk97bg9a8ptxh5rasg3wc7twkxn80njqy
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎨 Clawdis
Binsuv
Install
Install uv (brew)
Bins: uv
brew install uv