ClawHub

Tianshu Image

v1.0.0

使用阿里云通义万相 (DashScope) 生成图片。Use when: 用户需要根据文字描述生成图片;用户说「画一张」「生成图片」「文生图」。 NOT for: 图片编辑、风格迁移、其他非文生图场景。

0· 200·0 current·0 all-time
bytianshu@wangshengli0421
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name and description match the included script: the code sends a text prompt to Alibaba DashScope and returns or saves the generated image. Minor mismatch: SKILL.md mentions an alternative config key (models.providers.bailian.apiKey) and suggests storing config in ~/.openclaw/openclaw.json, but the script only reads DASHSCOPE_API_KEY or a passed --api-key; this is a documentation inconsistency, not a functional mismatch with purpose.
Instruction Scope
SKILL.md instructs running the included Node.js script and describes expected outputs — which align with the code. It also references reading openclaw.json or a different provider key, but the script does not read those paths; otherwise the instructions do not ask the agent to read unrelated files or exfiltrate arbitrary data.
Install Mechanism
No install spec and no external downloads; the skill is instruction+script only (package.json has no dependencies). This is low-risk from an installation perspective.
Credentials
Only DASHSCOPE_API_KEY (or --api-key) is required, which is proportional to a skill that calls an external image-generation API. No unrelated credentials or broad system secrets are requested.
Persistence & Privilege
Skill does not request persistent/global privileges (always is false). It can write image files only when the user supplies a --filename; it does not modify other skills or system-wide configuration.
Assessment
This skill will send the text prompt (and negative prompt) to Alibaba DashScope and uses the provided DASHSCOPE_API_KEY to authenticate. Only install if you trust that service and the API key you provide. Note the SKILL.md mentions alternate config locations that the script does not actually read—verify you set DASHSCOPE_API_KEY or pass --api-key when running. Be aware generated images may be returned as external URLs (the script prints MEDIA_URL) — if you prefer not to expose images to third-party hosting, use --filename to save locally. Finally, restrict the API key scope where possible and avoid supplying highly sensitive prompts or data to the skill.
scripts/generate_image.js:26
Environment variable access combined with network send.
Confirmed safe by external scanners
Static analysis detected API credential-access patterns, but both VirusTotal and OpenClaw confirmed this skill is safe. These patterns are common in legitimate API integration skills.

Like a lobster shell, security has layers — review code before you run it.

latestvk971pwrr09c16cxw1rgszv5rex836nh9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvDASHSCOPE_API_KEY
Primary envDASHSCOPE_API_KEY

Comments