ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

WeryAI Image

Free All-in-One AI Image Generator Platform. Access FLUX, Midjourney alternatives, Wan AI, and Qwen Image in one place. Generate photorealistic 8K images nat...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 34 · 0 current installs · 0 all-time installs
byE.S@sunjian
MIT-0
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description advertise an 'all-in-one' image generator (FLUX, Midjourney alternatives, Wan AI, Qwen Image, etc.), but the included code only calls the WeryAI API (https://api.weryai.com) with model WERYAI_IMAGE_2_0. Functionally it generates images from text prompts, which matches the core purpose, but the multi-backend claim is misleading.
!
Instruction Scope
SKILL.md instructs prompt translation to English and rendering the returned URL as a markdown image — reasonable for this task. However SKILL.md does not document the requirement for an API key or that the runtime script will try to read the user config file (~/.openclaw/openclaw.json). README files mention the config, but the registry metadata does not; this mismatch means runtime behavior (reading a local config and using an API key) is not fully declared in the instructions.
Install Mechanism
There is no install spec — this is an instruction-only skill with a bundled node script. No external downloads or install steps are requested, which is lowest risk for install mechanisms.
!
Credentials
The runtime requires a WeryAI API key (either WERYAI_API_KEY env var or in ~/.openclaw/openclaw.json). The registry metadata lists no required env vars or config paths — that's an incoherence. Requesting a single service API key is proportionate to an image-generation skill, but the omission in metadata and the script reading a file in the user's home directory are privacy/visibility concerns the user should be aware of.
Persistence & Privilege
always is false and the skill does not request system-wide persistence or elevated privileges. It only performs outbound HTTPS requests to the WeryAI API and reads a local config file for the API key.
What to consider before installing
This skill appears to be a straightforward WeryAI text-to-image wrapper, but there are several packaging and disclosure issues you should consider before installing: - The script requires a WeryAI API key (WERYAI_API_KEY env var or a key stored in ~/.openclaw/openclaw.json). The skill registry metadata did not declare this — verify you’re comfortable providing that key. - The description overstates support for multiple backends; the code only calls api.weryai.com. If you expect multi-backend functionality, ask the author for clarification or updated code. - The bundled script attempts to read a file in your home directory (~/.openclaw/openclaw.json). Inspect that file path and the script yourself to confirm it only reads the key and does not exfiltrate other local data. - The JS has sloppy issues (it references path, os, fs without requiring them) — this indicates poor maintenance and could hide other bugs; review the code before trusting it with your credentials. - Because the skill makes outbound network calls, only provide an API key with limited permissions and monitor usage on your WeryAI account. If you’re unsure, test in an isolated environment or request the author to update the manifest to explicitly list required env vars/config paths and to fix the code issues.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.1.2
Download zip
latestvk979mr48d0n126sy1pv76w3v6d830em2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

WeryAI Image Skill

<description> Generates high-quality AI images from text prompts via WeryAI API. </description> <capabilities> - Text-to-Image generation </capabilities> <usage> ```bash node /Users/king/weryai-image-skill/weryai-generate.js "<english_prompt>" ``` </usage> <rules> 1. Always translate the user's prompt to English before execution. 2. Provide specific, detailed, and visually descriptive prompts for best results. 3. The script will output "Success! Result: <URL>". 4. Render the returned URL as a markdown image `![Generated Image](<URL>)` in the final response. </rules>

Files

8 total
Select a file
Select a file to preview.

Comments

Loading comments…