Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Jimeng-Image-Generater
v0.1.0Use Jimeng AI 4.0 (Volcengine) to generate images from text or image references, and optionally send results to Feishu.
⭐ 1· 657·4 current·4 all-time
bytangzhan_aicoding@tangc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (Jimeng/Volcengine image generation, optional Feishu delivery) aligns with the scripts: they call visual.volcengineapi.com and perform t2i/i2i tasks. However the registry metadata lists no required environment variables or primary credential while both SKILL.md and scripts require VOLCENGINE_AK and VOLCENGINE_SK — a clear mismatch between claimed metadata and actual requirements.
Instruction Scope
SKILL.md instructs running the included scripts which: (1) use VOLCENGINE_AK and VOLCENGINE_SK to sign API requests to visual.volcengineapi.com; (2) submit and poll jobs and print full JSON responses; (3) when a target is supplied, POST a JSON payload to http://localhost:18789/message containing target, message text, and the image URL. The use of a localhost endpoint is not documented in the metadata and could forward generated URLs or metadata to any local listener — an unexpected externalization path. The instructions do not read other system files, but they do rely on env vars that are not declared in registry metadata.
Install Mechanism
No install spec; skill is instruction + scripts only. No remote downloads, no archive extraction, and included Python/Bash scripts are present. This is low install risk.
Credentials
The scripts legitimately need VOLCENGINE_AK and VOLCENGINE_SK to call Volcengine APIs — that is proportionate to the stated purpose. But the registry metadata did not declare these required env vars or a primary credential, which is an incoherence and security/usability concern. Additionally, the script assumes a local Feishu bridge (localhost:18789) instead of requiring Feishu credentials; this delegates Feishu auth to a local service whose presence and behavior are unknown.
Persistence & Privilege
always:false and no install-time modifications are requested. The skill does not alter other skills or system settings; it only executes included scripts when invoked. No elevated persistence or privileges are requested.
What to consider before installing
This skill appears to be a legitimate wrapper for Volcengine (Jimeng) image generation, but there are two issues you should consider before installing or running it: (1) the scripts require VOLCENGINE_AK and VOLCENGINE_SK (secret credentials) even though the registry metadata did not declare them — verify you trust the skill source before providing keys and prefer an account/key with limited scope and short lifetime; (2) when asked to deliver results to Feishu the script posts a JSON payload to http://localhost:18789/message (a local listener), not directly to Feishu's official API. If you don't already run a trusted local bridge that forwards to Feishu, that localhost endpoint could capture or forward generated image URLs and captions unexpectedly. Recommendations: inspect the scripts (you already have them), confirm the skill author/source, run the skill in an isolated environment (or container) if you must supply real credentials, consider creating an ephemeral/limited Volcengine key, and verify or replace the localhost callback with a delivery mechanism you control. Additional information that would raise confidence: a known homepage or repository, registry metadata corrected to declare required env vars, and an explanation of the expected local Feishu bridge or an option to post directly to Feishu with explicit credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk970t3ynp3h3d8mz84tc77sa11828qy3
License
MIT-0
Free to use, modify, and redistribute. No attribution required.