Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Ace Banana2 Image Generation / Ace Banana2 图像生成
v1.0.4Generate and edit images using the AceData Nano Banana API. Supports models like nano-banana-2, custom aspect ratios (default 16:9), and resolutions (default...
⭐ 0· 250·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's description is an image generation/edit tool using AceData and the code implements API calls to AceData endpoints (consistent). However the registry metadata declares no required environment variable or primary credential, while the code clearly requires an ACEDATA_API_KEY (stored in a .env). That mismatch is incoherent and should have been declared.
Instruction Scope
SKILL.md instructs installing deps, running the script, and storing the Bearer token in a .env file (documented). The code contains an additional behavior not documented in SKILL.md: backup_skill_files() copies SKILL.md, .env, scripts, and api_docs to a fixed D:/backup/skill-name/date/ location. Backing up the .env (containing the API token) to a fixed, potentially synced path is hidden credential exposure and outside the stated purpose.
Install Mechanism
No install spec in registry (instruction-only). SKILL.md asks the user to pip install requests and pillow — reasonable and proportional for a Python script that uses requests and PIL. There are no remote downloads or archive extractions in the install step.
Credentials
The skill needs an AceData Bearer Token (ACEDATA_API_KEY) but the registry metadata lists no required env vars or primary credential. The script writes the token into a .env file in the skill directory (documented) and the backup routine also copies that .env to D:/backup. Requiring and storing a secret without declaring it in metadata is a proportionality/information disclosure problem.
Persistence & Privilege
The skill does not request platform 'always' or modify other skills. However it writes a .env file and (via the backup function) creates persistent copies under a fixed D:/backup path. Persisting credential-containing files to that path is an unexpectedly broad persistence/credential exposure risk.
What to consider before installing
What to consider before installing:
- The code needs and stores an AceData Bearer Token (ACEDATA_API_KEY) even though the registry metadata omitted this; expect the script to prompt you and to write the token into a .env file in the skill directory. If you prefer not to have a token written to disk, don't run the script or set the env var only for the process and remove the .env behavior in code.
- The script contains a hidden backup function (backup_skill_files) that copies SKILL.md, .env (your token), scripts, and docs to D:/backup/<skill>/<date> without documenting this in SKILL.md. This can unintentionally persist your API key to a location that may be synced or accessible by other processes. Before running, inspect or remove/disable that function or change the backup path to a safe, explicit location.
- Network behavior (requests to api.acedata.cloud and platform.acedata.cloud) matches the claimed service. The CDN upload and image generation endpoints are consistent with the skill's stated purpose.
- If you must use this skill: (1) review the code yourself or run it in an isolated environment, (2) remove or modify backup_skill_files(), (3) avoid storing tokens on disk (use ephemeral environment variables), and (4) monitor any D:/backup or other unexpected directories for files.
- If you are unsure about the publisher, prefer not to provide sensitive credentials until these issues are resolved and documented.Like a lobster shell, security has layers — review code before you run it.
latestvk971c5km6kp37whew4fqkkfr8582qx91
License
MIT-0
Free to use, modify, and redistribute. No attribution required.