Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Doubao API Toolkit
v1.0.0Doubao (Volcengine ARK) API Toolkit - Cross-platform Python implementation for text-to-image, image-to-image, text-to-video, and vision analysis. 豆包API工具包 -...
⭐ 0· 86·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill implements a Doubao/Volcengine ARK client and legitimately needs an ARK API key and python; SKILL.md and scripts reference ARK_API_KEY and appropriate API endpoints. However the registry summary at the top says "Required env vars: none" while skill.json and SKILL.md require ARK_API_KEY — this metadata inconsistency is concerning and should be resolved.
Instruction Scope
SKILL.md describes only API interactions (text->image/video, vision analysis) and instructs the user to set ARK_API_KEY. The included Python code follows these instructions. Note: analyze_video reads a local video file, base64-encodes it, and uploads it to the remote API (expected for video analysis but important to be aware of). The tool also downloads results and writes them to ~/.openclaw/workspace/output.
Install Mechanism
There is no install specification (instruction-only install), and the repository provides a runnable Python script. No installers or third-party downloads are pulled during install — this is low-risk from an installation vector perspective.
Credentials
The code and SKILL.md require only a single credential (ARK_API_KEY), which is proportionate. The concern is the inconsistency between registry metadata (which listed no required env vars) and the embedded skill.json/SKILL.md that require ARK_API_KEY. Also skill.json lists python3 in requires.bins — ensure that is consistent with the platform and that the listed repository/homepage are legitimate before trusting the package.
Persistence & Privilege
The skill does not request always:true and does not modify other skills. It writes outputs to a directory under the user's home (~/.openclaw/workspace/output) which is normal for a CLI tool but worth noting if you prefer different storage locations.
What to consider before installing
This package appears to be a straightforward Python client for Volcengine ARK and behaves consistently with that purpose, but there are packaging/metadata inconsistencies you should resolve before installing: 1) Verify the source and homepage (skill.json points to a GitHub repo, but registry metadata lists source/homepage as unknown/none). 2) Confirm ARK_API_KEY is indeed required (SKILL.md and the script use it); do not supply high-privilege or long-lived credentials — create and use a scoped key if possible and rotate it after testing. 3) Be aware analyze_video will read any local video file you point it at and upload base64-encoded contents to the remote API — do not analyze sensitive or private videos unless you trust the endpoint. 4) Verify the BASE_URL host (ark.cn-beijing.volces.com) and TLS certificate correspond to the official Volcengine/ARK endpoints. 5) If in doubt, run the script in an isolated environment (container or VM), inspect the full script yourself, and prefer using minimum-permission API keys. If the packaging metadata is corrected and the repo/homepage prove legitimate, this skill is likely fine for use; otherwise treat the inconsistencies as a red flag.Like a lobster shell, security has layers — review code before you run it.
latestvk97dbd3n566ej39657jnbwbzcs83cxg6
License
MIT-0
Free to use, modify, and redistribute. No attribution required.