Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Weryai Image Toolkits
v0.1.6Use when the user needs WeryAI image tools to analyze and transform existing images. Generate reusable prompts, convert and optimize visuals via background r...
⭐ 0· 123·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description, declared env vars (WERYAI_API_KEY, WERYAI_BASE_URL), required binary (node), and the included scripts all implement image-editing and upload/processing workflows described in SKILL.md. The requested items are proportional to the stated purpose.
Instruction Scope
Runtime instructions and the CLI code operate on image URLs and local file paths, upload local files to the WeryAI service, support dry-run, and poll task status. This is appropriate for an image-editing toolkit. Caveat: the code permits overriding WERYAI_BASE_URL (and will upload to whatever host that points to) and will upload arbitrary allowed local files you provide; if misconfigured (or if you accidentally supply a sensitive path) that could leak local content. The SKILL.md warns about trusting overrides and recommends reviewing scripts before production use.
Install Mechanism
No network install spec is included; the package contains Node scripts to run locally. There are no external download URLs or archive extracts. Requiring node is expected and proportionate.
Credentials
Only the WERYAI_API_KEY is a secret and is the declared primary credential; WERYAI_BASE_URL is expected for host override. The code also reads optional env vars (e.g., WERYAI_POLL_INTERVAL_MS, WERYAI_POLL_TIMEOUT_MS, WERYAI_ALLOW_INSECURE_UPLOAD) that are not listed as required but are benign operational knobs. The number and type of env vars requested are proportionate to the skill's function.
Persistence & Privilege
always:false and no install-time modifications to other skills or global agent settings. The skill runs as a normal, user-invocable module and does not request permanent elevated privileges.
Assessment
This package appears coherent for WeryAI image editing, but review and act cautiously: 1) Provide only a WERYAI API key you trust; the tool will send your images (including any local file paths you pass) to the configured WERYAI_BASE_URL. 2) Avoid giving local paths to sensitive files; the uploader supports many file types (images, text, etc.) and will POST them to the API. 3) Do not change WERYAI_BASE_URL unless you trust the destination—overriding it can make the client send sensitive data to an arbitrary host (the code warns about this). 4) Use the built-in dry-run and inspect the scripts (scripts/image_toolkits.js and scripts/vendor/weryai-core/*) before running paid jobs, and run first paid jobs from an isolated environment or short-lived session. If you want extra assurance, test only with public HTTPS image URLs (not local files) and verify account balance and API key permissions first.scripts/image_toolkits.js:19
Environment variable access combined with network send.
scripts/vendor/weryai-core/upload.js:147
Environment variable access combined with network send.
scripts/image_toolkits.js:525
File read combined with network send (possible exfiltration).
scripts/vendor/weryai-core/upload.js:131
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk977wxysf2kdb79xmernxb8had83hkn0
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🖼️ Clawdis
Binsnode
EnvWERYAI_API_KEY, WERYAI_BASE_URL
Primary envWERYAI_API_KEY