使用火山引擎豆包模型生成图片。 通过火山引擎豆包图片生成 API 创建图片。支持自定义提示词、尺寸、模型等参数。 ## 环境变量 - VOLCENGINE_IMAGE_API_KEY - 豆包 API Key(必填) ## 使用方式 生图:一只可爱的小猫 ## 支持的尺寸 1024x1024, 1280x720, 720x1280, 1024x768, 768x1024
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: doubao-image Version: 1.0.1 The skill is a functional tool for generating images using the Volcengine (Doubao) API. It correctly manages sensitive information by retrieving the API key from an environment variable and communicates with the legitimate endpoint (ark.cn-beijing.volces.com). While scripts/generate.py contains a hardcoded absolute path (C:/Users/zcf/...) which is likely a developer oversight and may cause execution issues on other systems, there is no evidence of malicious intent, data exfiltration, or unauthorized command execution.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Generated image requests may consume the user's Volcengine account quota or billing.
The skill requires a Volcengine API key, which grants access to the user's provider account and quota. This is expected for the stated image-generation purpose, but users should notice the credential requirement, especially because registry requirements list no required env vars.
- `VOLCENGINE_IMAGE_API_KEY` - 豆包 API Key(必填)
Use a dedicated or restricted API key if available, set it only in the intended environment, and rotate it if it is exposed.
Prompt text and generation parameters are sent to Volcengine and may be processed under that provider's policies.
The script sends the prompt, model, size, and count to the external Volcengine API. This is central to the skill's purpose and is disclosed, but it is still an external API action that users should expect before providing sensitive prompts.
response = requests.post(API_BASE_URL, headers=headers, json=payload)
Avoid putting private or sensitive information in image prompts unless you are comfortable sending it to the provider.
Generated images may be saved somewhere unexpected or fail to save on systems where that Windows user path does not exist or is not writable.
The script automatically creates and writes image files to a hard-coded absolute path, while SKILL.md describes the output as `downloads/images/`. Saving generated images is expected, but the fixed path is less portable and may surprise users.
output_dir = "C:/Users/zcf/.openclaw/workspace/downloads/images"
Prefer a relative or configurable output path and confirm where files will be saved.
It is harder to verify the publisher's source history or compare the registry package with an upstream project.
The registry metadata does not provide an upstream source repository or homepage. No malicious install behavior is shown, but independent provenance is limited.
Source: unknown; Homepage: none
Install only if you trust the registry publisher and have reviewed the included SKILL.md and script behavior.