Back to skill
Skillv1.0.0
ClawScan security
Skill Image Gen · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewMar 15, 2026, 3:07 PM
- Verdict
- Review
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's code matches its stated image-generation purpose, but the registry metadata omits declared credentials/config requirements and there are small inconsistencies in naming and config discovery that you should review before installing.
- Guidance
- This skill's code implements what it claims (Gitee AI image generation + optional Tencent COS upload). Before installing: 1) Be aware you will need to provide your Gitee API key (and optionally COS SecretId/SecretKey) — these are stored under ~/.openclaw/skills/config/skill-image-gen/config.json. 2) The registry metadata did not declare these required credentials — verify you trust the skill source before entering secrets. 3) If you plan to let an AI agent provide the API key via dialog, remember the agent will be able to save that secret to disk. 4) Consider running the code in an isolated environment or review the small Python modules (they are included) to confirm no unwanted network endpoints. 5) If you don't need COS, leave COS disabled to avoid uploading credentials. If you want higher assurance, ask the author to update registry metadata to declare GITEE_API_KEY (and optional COS vars) and to fix the minor naming inconsistencies in docs (free-image-gen vs skill-image-gen).
Review Dimensions
- Purpose & Capability
- noteCode and SKILL.md implement an AI image generator using Gitee AI and optional Tencent COS upload — this matches the name/description. However, the registry metadata lists no required environment variables or primary credential even though the skill clearly requires a Gitee API key (and optional COS secrets). That omission is an incoherence between provided metadata and actual needs.
- Instruction Scope
- okRuntime instructions and code stay within the expected scope: they call the Gitee AI endpoint, save images locally, and optionally upload to COS. The agent/CLI is instructed to collect and save API keys; no instructions attempt to read unrelated system data or contact unexpected endpoints.
- Install Mechanism
- okThis is an instruction+code skill with no install spec. Dependencies are installed via pip from requirements.txt (requests, Pillow, optional cos SDK) — standard and proportional for the task. No downloads from arbitrary URLs or archive extraction are present.
- Credentials
- concernThe skill legitimately needs a Gitee API key and optionally COS secret_id/secret_key/region/bucket. Those secrets are requested and persisted to a config file in the user's home. The registry metadata, however, declares no required env vars or primary credential — a mismatch. Also note the skill will accept credentials via interactive input, environment variables, or agent-provided dialog and will write them to ~/.openclaw/skills/config/... which means secrets are stored on disk.
- Persistence & Privilege
- noteThe skill is not always-enabled and doesn't request elevated system privileges. It does write configuration (including secrets) to the user's home (~/.openclaw/skills/config/skill-image-gen/config.json) — expected for this functionality but worth awareness. Autonomous invocation is allowed by default (platform default), which means an agent could call update_config() to save credentials if given them.