ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

design ecommerce

v1.0.0

Use when users need AI design assets for ecommerce images: background removal, transparent/white background output, blurry photo restoration, or listing imag...

0· 36·0 current·0 all-time
by@xiaorenaishu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (ecommerce image editing, cutout, restoration, listing kit) match the included scripts, api/commands.json, and SKILL.md. Required binaries (bash, curl, python3) and a single API key (DESIGNKIT_OPENCLAW_AK) are appropriate for calling the remote service and running the provided scripts.
Instruction Scope
Runtime instructions explicitly route to the bundled scripts (run_command.sh, run_ecommerce_kit.sh) which perform HTTP calls to openclaw-designkit-api.meitu.com and, when given local file paths, will read and upload local image files. This is coherent for an image-editing skill, but be aware that local files are uploaded to the remote service automatically as part of execution and that the skill executes shell/python code from the repository.
Install Mechanism
No install spec is provided (instruction-only entry), and the skill uses bundled scripts already present in the package. Nothing is downloaded from third-party URLs at install time. The runtime network calls go to a specific vendor API domain (openclaw-designkit-api.meitu.com / designkit.com), which aligns with the stated purpose.
Credentials
Only one required environment variable is declared (DESIGNKIT_OPENCLAW_AK) and is the primary credential used as the X-Openclaw-AK header. The scripts reference several optional environment variables (DESIGNKIT_WEBAPI_BASE, DESIGNKIT_OPENCLAW_CLIENT_ID, OPENCLAW_REQUEST_LOG, etc.) with sensible defaults. There are no unrelated secret requirements.
Persistence & Privilege
Skill is user-invocable, not always-on. It does not request to persist in always:true or modify other skills. It executes only its own scripts at runtime and does not claim system-wide configuration changes.
Assessment
This skill appears to do what it says: run bundled shell/python scripts that call a remote Designkit/OpenClaw API using the DESIGNKIT_OPENCLAW_AK API key. Before installing, confirm you trust the remote service and are comfortable that any local image paths you provide will be uploaded to that API. Keep your API key private and scoped appropriately, and avoid uploading sensitive/private images. Logs are disabled by default but can be enabled (the code attempts to redact the AK); if you enable logging, expect request metadata (with redaction) to be written to stderr. If you want greater assurance, review the scripts (run_command.sh and ecommerce_product_kit.py) yourself and test with non-sensitive sample images and a limited-permission API key or test account.

Like a lobster shell, security has layers — review code before you run it.

latestvk97arpkpmxjcsvr6d1fnkmrna584069c

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsbash, curl, python3
EnvDESIGNKIT_OPENCLAW_AK
Primary envDESIGNKIT_OPENCLAW_AK

Comments