ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

WeryAI Image Generator

v0.1.5

Generate WeryAI images from text prompts or reference images through the WeryAI image APIs. Use when the user needs text-to-image, image-to-image, async imag...

0· 111·0 current·0 all-time
by@weryai-developer
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, required binaries (node), and required env vars (WERYAI_API_KEY, WERYAI_BASE_URL, WERYAI_MODELS_BASE_URL) align with an API-backed image-generation client. The provided scripts implement text-to-image, image-to-image, status polling, model lookup and balance checks — all expected for this purpose.
Instruction Scope
SKILL.md and the scripts focus on submitting generation tasks, bounded polling, model inspection and returning images. The runtime supports local file paths which will be automatically uploaded to the WeryAI service (uploadLocalFileToPublicUrl). That behavior is documented in SKILL.md, but it means any local path the agent is given can be read and uploaded — a potential data-exfiltration vector if a user (or an automated decision) supplies sensitive filesystem paths.
Install Mechanism
There is no external install/download step; this is an instruction+script bundle that requires Node on PATH. No remote archive downloads or third-party install hooks were found in the package metadata.
!
Credentials
Most required env vars are proportional (API key and API endpoints). However: (1) SKILL.md states WERYAI_BASE_URL and WERYAI_MODELS_BASE_URL have defaults but the metadata declares them as required — that is inconsistent; (2) the code references an additional env var WERYAI_ALLOW_INSECURE_UPLOAD (used to suppress a warning when uploading to non-official domains) which is not declared in requires.env. Together these allow the runtime to be pointed at arbitrary hosts (and to silence the warning), which increases risk if misconfigured.
Persistence & Privilege
The skill is not marked always:true and does not request system-wide config changes. It will run as a normal user-mode tool and only acts when invoked. It does read local files only when given explicit local paths.
Assessment
This package appears to be a legitimate WeryAI client. Before installing or running it: 1) Treat your WERYAI_API_KEY like any secret — provide it only to trusted environments and never commit it to source. 2) Be careful with local-file inputs: if the agent receives or is asked to use a filesystem path, the script will read that file and upload it to the configured WeryAI host. Do not let the agent guess paths or accept unvetted user-provided paths that might point at sensitive files. 3) Double-check the endpoint env vars: the code defaults to api.weryai.com but metadata lists WERYAI_BASE_URL/WERYAI_MODELS_BASE_URL as required and you can override them; only set them to trusted domains. Avoid setting WERYAI_ALLOW_INSECURE_UPLOAD (or any flag that suppresses warnings) unless you fully trust the target host. 4) If you need higher assurance, review the scripts (especially uploadLocalFileToPublicUrl and createClient) or run the dry-run commands first (models-image.js and wait-image.js --dry-run) to confirm behavior without spending credits.
scripts/vendor/weryai-image/main.ts:22
Shell command execution detected (child_process).
scripts/vendor/weryai-image/run-generate.mjs:35
Shell command execution detected (child_process).
scripts/vendor/shared-image-generation/scripts/main.ts:56
Environment variable access combined with network send.
scripts/vendor/weryai-core/upload.js:147
Environment variable access combined with network send.
!
scripts/vendor/shared-image-generation/scripts/main.ts:6
File read combined with network send (possible exfiltration).
!
scripts/vendor/weryai-core/upload.js:131
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk973n7p8see9tkpx1h4tppzdfx83g1hm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎨 Clawdis
Binsnode
EnvWERYAI_API_KEY, WERYAI_BASE_URL, WERYAI_MODELS_BASE_URL
Primary envWERYAI_API_KEY

Comments