ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Openclaw-X-article-cover-generator

v1.0.2

Generate OpenClaw-themed X article covers with the lobster logo on the right quarter and text on the left three quarters, ensuring clear, readable design.

0· 386·0 current·0 all-time
byAI Zimo@yunhe-dev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description, SKILL.md, and the included Python script align: the script builds a prompt, accepts a reference image (local path or URL), and calls a remote image-generation API (api.bltcy.ai) using BLT_API_KEY. Required artifacts and behavior are proportionate to generating cover images.
Instruction Scope
SKILL.md and the script read a local reference image (if given), base64-encode it and include it in the API payload, or pass an http(s) URL to the API. This is expected for image-based generation, but the code does not strictly validate that local paths are safe image files — any file at the path will be base64-encoded and sent. The instructions do not attempt to read unrelated system files or credentials.
Install Mechanism
There is no install spec (instruction-only plus a script). The script lists a normal Python dependency (requests). Nothing is downloaded from arbitrary URLs or written to unexpected system paths during install.
Credentials
The only required secret is BLT_API_KEY (declared in SKILL.md and used by the script). That matches the stated use of a third‑party image-generation API and is proportionate to the task.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system settings, and only writes its output image to the specified output path. It has normal, limited runtime footprint.
Assessment
This skill appears internally consistent with its purpose, but before using it: 1) only provide image reference files that you are comfortable sending to an external service (do not pass sensitive files such as private keys or documents); 2) verify and trust the BLT API endpoint (https://api.bltcy.ai) and its privacy/security practices because local files will be uploaded or referenced; 3) prefer passing a URL to a non-sensitive hosted image (OSS long link) rather than a local path when possible; 4) confirm the BLT_API_KEY is scoped appropriately (rotate/revoke if exposed) and avoid reusing high-privilege keys; 5) if you need higher assurance, run the script in an isolated environment and review/modify the code to enforce stricter file-type checks before upload. Because there is no homepage or publisher metadata, treat the endpoint and owner as unverified — exercise caution.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a56mrw7gdmj93e9ez5pcbfn825nt1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments