Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Easy Image
v1.0.1Professional image generation assistant for workplace: PPT graphics, marketing posters, product photos, social media content. Simple description → Profession...
⭐ 0· 138·0 current·0 all-time
bybbear@ximasadila
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (image generation for workplace assets) aligns with behavior: assembling prompts from templates, selecting models, calling external image-generation platforms, and saving outputs. The skill expects API keys and local config files (e.g., ~/.{platform}/config.json and ~/.easy-image-skill/config.json), which is reasonable for this purpose. It does not request unrelated credentials or system-level privileges.
Instruction Scope
Runtime instructions read and write files in the user's home (~/.easy-image-skill/* and ~/.{platform}/config.json) and silently consult a personal library (~/.easy-image-skill/my-prompts.md). These actions are coherent with a personal prompt library and local config, but the SKILL.md explicitly says some checks happen 'silently' and that technical details are hidden from the user — this can be a privacy/visibility concern (the skill may read user prompt history and reuse it without making all details visible). It also defaults to enabling web-grounding/search when brand names or timeliness are detected, which implies automatic outbound network queries beyond the image generation API.
Install Mechanism
Instruction-only skill with no install spec or downloaded code. That minimizes disk/write and supply-chain risk. All behavior is specified in SKILL.md and local reference docs.
Credentials
The registry metadata lists no required env vars, but the runtime flow clearly expects the user to provide platform API keys (e.g., Jiekou, Novita, PPIO, OpenRouter, WaveSpeed, Google) and stores them in platform-specific config files in the home directory. Requesting/storing those keys in user config files is proportionate, but the skill does not declare these credentials up-front in the registry metadata—this is an omission to be aware of. The skill does not request unrelated keys or system secrets.
Persistence & Privilege
The skill does not request 'always: true' and does not modify other skills or system-wide settings. It writes its own config (~/.easy-image-skill/config.json) and personal library, which is expected. It also asks for a default 'save_path' granting blanket download authorization into a user-chosen folder; that is functional for its purpose but is a potential place for accidental data writes.
Assessment
This skill appears to do what it says: translate short descriptions into professional prompts and call image-generation platforms. Before installing or using it, consider the following:
- Review where API keys will be stored: the skill asks you to provide platform keys and will save them to platform-specific files in your home directory (e.g., ~/.jiekou/config.json). If you prefer, use limited-scope or ephemeral keys and check the file contents after setup.
- Inspect the platform adapter docs (references/platforms/*.md) in the bundle (or ask the publisher) to see exact endpoints the skill will call. These endpoints determine where your prompts and any web-search queries are sent.
- Be aware the skill defaults to 'Grounding' (web/image search) for many prompts. That means the skill will make outbound search requests (and potentially include prompt or entity text) whenever brand names, 'latest', or similar tokens are detected. If you have privacy concerns, disable grounding or avoid sending sensitive content.
- The skill silently reads your personal library (~/.easy-image-skill/my-prompts.md) and may reuse prompts without explicit, per-use disclosure. If you keep sensitive or proprietary prompts, review and control that file.
- The skill auto-downloads generated images to a configured path (default ~/Downloads). Choose a path you control and be cautious granting blanket download behavior.
If any of the above is unacceptable, ask the publisher for an explicit list of external endpoints and an option to disable silent reuse or web-grounding. If you proceed, prefer using least-privilege API keys and regularly review the saved config files.Like a lobster shell, security has layers — review code before you run it.
latestvk972qe2n1tj17jrc2kyr9hb59n838k3w
License
MIT-0
Free to use, modify, and redistribute. No attribution required.