ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

wan-image-gen

v1.0.0

Generate images using Alibaba DashScope wan2.6-t2i model, download to Desktop, and upload to catbox.moe image hosting. Use when the user asks to generate, cr...

1· 408·2 current·2 all-time
byAgentrix@lxyd-ai
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's description and SKILL.md consistently describe calling Alibaba DashScope (wan2.6-t2i) and uploading results to catbox.moe — that is coherent. However the registry metadata lists no required environment variables while the SKILL.md explicitly requires DASHSCOPE_API_KEY. The missing declaration is an incoherence that affects user expectations of needed credentials.
!
Instruction Scope
The instructions are concrete (curl to DashScope, download to ~/Desktop, upload to catbox.moe) and stay within the stated purpose. Concerns: (1) SKILL.md includes a literal-looking API key (sk-ec7...), which may be a real secret or a placeholder — embedding keys in docs is risky; (2) the instructions write files to the user's Desktop and upload them to a third-party public host (catbox.moe) without asking for explicit consent in the flow; (3) the guide assumes presence of python3 and standard paths but the registry did not declare those prerequisites.
Install Mechanism
Instruction-only skill with no install steps and no code files — low install risk.
!
Credentials
Only one credential (DASHSCOPE_API_KEY) is needed according to the SKILL.md which is proportionate. But the registry claims no required env vars, creating an inconsistency. The embedded example API key is an additional risk (possible accidental secret disclosure). No other unrelated credentials are requested.
Persistence & Privilege
always is false and the skill does not request persistent system-level privileges or modify other skills' configuration. Autonomous invocation is allowed (platform default) but not combined with other high-risk indicators here.
What to consider before installing
This skill appears to do what it says (call Alibaba DashScope to generate images and upload them to catbox.moe) but there are a few things to check before installing: 1) The SKILL.md requires DASHSCOPE_API_KEY but the registry metadata lists no required env vars — ask the publisher to correct the metadata so you know beforehand what secret will be used. 2) SKILL.md contains a literal-looking API key in an example; do not assume it is safe. Treat it as a possible leaked secret and ask the maintainer to remove or redact it. 3) The workflow writes images to your Desktop and uploads them to a public third-party host (catbox.moe). Confirm you are comfortable with generated images being stored publicly and that no sensitive content will be uploaded. 4) Verify the DashScope endpoint (dashscope-intl.aliyuncs.com) is the correct official API and use a scoped or disposable API key for initial testing. 5) Consider updating the skill to prompt the user explicitly before writing files or uploading, and to avoid embedding credentials in docs. If the publisher clarifies the env var requirement and removes the hardcoded example key, the inconsistencies would be resolved.

Like a lobster shell, security has layers — review code before you run it.

latestvk970s28r3tvtv1f9nbx3xwvajh821j42
408downloads
1stars
1versions
Updated 5h ago
v1.0.0
MIT-0
Agentrix@lxyd-ai
latest
Download

Wan Image Generation

通过阿里云 DashScope API 调用 wan2.6-t2i 模型生成图片,下载到本地桌面,并上传到 catbox.moe 图床获取公网链接。

环境变量

DASHSCOPE_API_KEY="需要此 KEY 时询问用户"

工作流程

Step 1: 提交图片生成任务

调用 DashScope 同步接口生成图片:

curl --location 'https://dashscope-intl.aliyuncs.com/api/v1/services/aigc/multimodal-generation/generation' \
  --header 'Content-Type: application/json' \
  --header 'Authorization: Bearer $DASHSCOPE_API_KEY' \
  --data '{
    "model": "wan2.6-t2i",
    "input": {
      "messages": [
        {
          "role": "user",
          "content": [
            {
              "text": "<用户提示词>"
            }
          ]
        }
      ]
    },
    "parameters": {
      "prompt_extend": true,
      "watermark": false,
      "n": 1,
      "negative_prompt": "",
      "size": "1280*1280"
    }
  }'

注意事项:

  • size 格式使用 * 分隔(如 1280*1280),不是 x
  • 可选尺寸:1024*10241280*1280720*12801280*720
  • 图片 URL 有过期时间,生成后必须立即下载

Step 2: 下载图片到桌面

从响应中提取图片 URL,下载到桌面目录:

curl -o ~/Desktop/generated_image.png "<图片URL>"
  • 下载路径:/home/{用户名}/Desktop/(Linux)或 ~/Desktop/(macOS)
  • 下载完成后输出文件的绝对路径

Step 3: 上传到 catbox.moe 图床

将图片上传到 catbox.moe 获取公网永久链接:

curl -F "reqtype=fileupload" -F "fileToUpload=@~/Desktop/generated_image.png" https://catbox.moe/user/api.php
  • 上传成功后返回公网地址,格式如:https://files.catbox.moe/xxxx.png

完整流程示例

export DASHSCOPE_API_KEY="sk-ec70253d8fb14e53a679726ad2e1563c"

# 1. 生成图片
RESPONSE=$(curl -s --location 'https://dashscope-intl.aliyuncs.com/api/v1/services/aigc/multimodal-generation/generation' \
  --header 'Content-Type: application/json' \
  --header "Authorization: Bearer $DASHSCOPE_API_KEY" \
  --data '{
    "model": "wan2.6-t2i",
    "input": {
      "messages": [{"role":"user","content":[{"text":"一只可爱的猫咪"}]}]
    },
    "parameters": {
      "prompt_extend": true,
      "watermark": false,
      "n": 1,
      "negative_prompt": "",
      "size": "1280*1280"
    }
  }')

# 2. 提取图片 URL 并下载
IMAGE_URL=$(echo "$RESPONSE" | python3 -c "import sys,json; print(json.load(sys.stdin)['output']['choices'][0]['message']['content'][0]['image'])")
curl -o ~/Desktop/generated_image.png "$IMAGE_URL"
echo "图片已下载到: $(cd ~/Desktop && pwd)/generated_image.png"

# 3. 上传到 catbox.moe
PUBLIC_URL=$(curl -s -F "reqtype=fileupload" -F "fileToUpload=@$HOME/Desktop/generated_image.png" https://catbox.moe/user/api.php)
echo "公网地址: $PUBLIC_URL"

错误处理

  • 若 API 返回错误码,检查 codemessage 字段
  • 若图片 URL 过期(下载返回 403),需重新提交生成任务
  • 若 catbox.moe 上传失败,重试即可

Comments

Loading comments...