ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

自动广告生成器

v1.0.1

Generate professional advertisement posters for multiple industries including automotive, cultural tourism, fragrance, tea, and more. Create commercial layou...

0· 61·0 current·0 all-time
by@snakeruru
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Crypto
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The declared requirements (Dreamina CLI and remove.bg key) generally align with an ad-generation tool that can call an AI image service and remove backgrounds. However, SKILL.md marks remove.bg as optional while the registry requires REMOVE_BG_API_KEY — a mismatch. The code also references other AI backends (OpenAI/DALL·E) which are described as optional, but those APIs are invoked in code even though their credentials (e.g., OPENAI_API_KEY) are not declared in the skill metadata.
!
Instruction Scope
The runtime instructions and code call external CLIs and APIs (dreamina, and code paths that call OpenAI / DALL·E and requests). SKILL.md instructs installing 'dreamina' via a curl|bash one-liner hosted at jimeng.jianying.com. The code will call subprocesses (dreamina text2image, query_result, etc.) and may attempt to contact external services — some of which (OpenAI) are not declared as required env vars. The instructions and code also reference background removal though the implementation for that in the repository is incomplete/inconsistent. Overall the runtime behavior reaches outside the local system to third-party endpoints and relies on undeclared credentials.
!
Install Mechanism
There is no formal install spec in the registry, but SKILL.md tells the user to run: curl -s https://jimeng.jianying.com/cli | bash to install dreamina. Piping an external script into bash from a third-party domain is high risk. package.json also lists an optionalDependency pointing to https://jimeng.jianying.com/cli rather than a well-known package registry. These indicate the skill expects you to run remote installer code from a single domain that is not a widely vetted release host.
!
Credentials
The registry requires DREAMINA_API_KEY and REMOVE_BG_API_KEY. DREAMINA_API_KEY is proportionate. REMOVE_BG_API_KEY is declared required but SKILL.md calls it optional. More importantly, the code contains a path that uses the OpenAI client (generate_with_dalle) yet OPENAI_API_KEY (or equivalent) is not declared in requires.env. The code also imports requests and openai at runtime but package.json only lists Pillow — missing dependency declarations and undeclared credentials increase the risk of silent failures or unexpected network calls.
Persistence & Privilege
The skill is not always-enabled, does not request elevated or system-wide configuration changes, and writes outputs to local temp and output directories. It does not modify other skills or global agent settings. Its persistence and privileges appear normal for a user-run tool.
What to consider before installing
What to consider before installing: - Do not run curl | bash installers from unknown domains without inspection; the README recommends piping a script from jimeng.jianying.com to install the Dreamina CLI — this is the highest-risk action here. Prefer installing CLIs from official release pages or package managers and review the installer content first. - The skill expects DREAMINA_API_KEY (reasonable) and REMOVE_BG_API_KEY (declared required but marked optional in docs). The code also calls OpenAI (DALL·E) but does not declare OPENAI_API_KEY — ask the author to clarify required environment variables. - Dependencies are incomplete: package.json only lists Pillow but code imports requests and openai. Running the code may fail or silently attempt to reach external services. Review and install dependencies in a controlled environment (container or sandbox). - Review the code paths that call subprocess.run(['dreamina', ...]) to ensure the Dreamina CLI used is the official binary you trust; if you must use Dreamina, install it from a vetted source and confirm its behavior. - If you handle sensitive images or credentials, avoid giving API keys to third-party services you don't control. Consider running the PIL-only path (local generation) if you want to avoid remote AI services. - If you want to proceed: ask the publisher to (1) remove the curl|bash recommendation or replace it with a vetted install guide, (2) declare all required env vars (including OPENAI_API_KEY if used), and (3) add missing runtime dependencies to package.json. Otherwise run the tool in an isolated environment and audit network activity.

Like a lobster shell, security has layers — review code before you run it.

latestvk973dxee3qt92crxqafgdqak6984aacd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binspython3, dreamina
EnvDREAMINA_API_KEY, REMOVE_BG_API_KEY

Comments