ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

doubao-media

v1.0.0

Doubao (Volcengine ARK) 文生图、文生视频工具 - 生成后自动发送到对话,无需手动查找文件。Text-to-image and text-to-video with auto-send to chat.

0· 66·0 current·0 all-time
by@systiger
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The description and code align with a Volcengine ARK media generator and the code legitimately requires an ARK_API_KEY. However, the top-level registry metadata declared 'Required env vars: none' while SKILL.md and doubao-media.json both indicate ARK_API_KEY is required. That mismatch is an incoherence that could mislead users or automation that relies on registry metadata.
!
Instruction Scope
SKILL.md instructs the user to set ARK_API_KEY and run the included Python script (consistent). It also promises 'Auto-Send to Chat' behavior; the script contains a _send_to_chat method but it only prints a message and does not actually invoke any subprocess or API to send the file. The SKILL.md therefore overstates automation: auto-send appears unimplemented (comment only). There are no instructions to read unrelated files or exfiltrate extra data.
Install Mechanism
No install spec (instruction-only) and the only runtime dependency is the 'requests' Python package (SKILL.md tells users to pip install requests). Nothing is downloaded from arbitrary URLs during install. Low install risk.
!
Credentials
The code correctly requires a single API key (ARK_API_KEY), which is proportionate for a cloud media-generation skill. The problem is that the registry metadata omitted this requirement, while doubao-media.json and SKILL.md declare it—this inconsistency could cause automated systems or users to miss the need for credentials. No other unrelated credentials are requested.
Persistence & Privilege
The skill does not request always:true or any elevated persistence. It writes generated files to ~/.openclaw/workspace/output (consistent with its purpose) and does not modify other skill configs or system-wide settings.
What to consider before installing
Before installing or running this skill: - Expectation vs reality: The registry metadata incorrectly states no env vars required. You must provide ARK_API_KEY (set in environment) or the script will fail. doubao-media.json and SKILL.md correctly mention ARK_API_KEY—update or verify metadata before automated installs. - 'Auto-send to chat' is advertised but not implemented: the script's _send_to_chat only prints a message; it does not actually call any messaging tool or send files. If you rely on auto-send, inspect/implement the messaging integration or treat sending as manual. - Verify the API endpoint: the script calls BASE_URL = https://ark.cn-beijing.volces.com/api/v3. Confirm this is the correct, official Volcengine endpoint for your account and region. - Review network and privacy implications: the skill downloads generated media from URLs the API returns and writes them to ~/.openclaw/workspace/output. Ensure you are comfortable with those files being saved and that your environment permits outbound connections to Volcengine and to the returned file URLs. - Run in a sandbox first: test with a non-privileged or temporary API key and inspect network calls and saved files before using a production key. - If you need the advertised auto-send, request the author to implement a real send (or add instructions for how OpenClaw agents should be invoked to attach/send files). Also ask the publisher to fix registry metadata to declare ARK_API_KEY as required.

Like a lobster shell, security has layers — review code before you run it.

latestvk970dk6d5c22kq1rywhqbpbxhx83vx34

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments