ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

智谱CogView模型图片生成

v1.0.1

使用智谱AI的CogView模型生成图片。当用户想要AI生成图片时使用此技能,支持中文提示词自动翻译为英文,支持自定义图片尺寸。在首次使用时需要用户配置智谱API密钥。

0· 54·0 current·0 all-time
by代码工坊实验室@yzh-q
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The SKILL.md describes using the Zhipu (open.bigmodel.cn) CogView model and asks the user to provide an API key, which is coherent with the stated purpose. However, the skill metadata lists no required env vars or primary credential even though the instructions explicitly require configuring an API key. Additionally, the doc instructs running 'scripts/generate_image.ps1' yet the package contains no code files or script — a direct mismatch between claimed capabilities and provided artifacts.
!
Instruction Scope
The instructions say the agent will translate prompts and call the CogView model, but they do not include the HTTP/API call details; instead they point to a local PowerShell script ('scripts/generate_image.ps1') that is not present. That makes the runtime behavior vague and grants the agent broad discretion to implement network calls or run arbitrary commands to satisfy the instructions. The SKILL.md also describes checking/storing an API key on first use but gives no specifics about where/how the key is stored or protected.
Install Mechanism
This is an instruction-only skill with no install spec and no code to write to disk. That is the lowest-risk install model — there is nothing in the manifest that automatically downloads or executes external code.
!
Credentials
The skill logically requires a Zhipu API key to call open.bigmodel.cn, but the registry metadata declares no required env vars or primary credential. The SKILL.md says it will prompt the user for an API key on first use but does not justify why the key isn't declared in requires.env nor explain where the key is stored. This mismatch makes it unclear how credentials are handled and whether they might be exposed or mishandled.
Persistence & Privilege
The skill does not request always:true or other elevated persistence. It is user-invocable and allowed to be invoked autonomously (default), which is normal. There is no evidence it modifies other skills or system-wide settings.
What to consider before installing
This skill's purpose (generate images via Zhipu/CogView) is plausible, but the package is incomplete and inconsistent. Before installing or using it, ask the author to: (1) include the referenced scripts (scripts/generate_image.ps1) or provide exact API call examples; (2) explicitly declare the required credential (e.g., ZHIPU_API_KEY) in the metadata and explain how/where the key will be stored and protected; (3) show the code or request a code review so you can verify it only calls open.bigmodel.cn and does not exfiltrate your key elsewhere. Do not paste your API key into untrusted chat windows; if you must enter it, prefer entering it into a secure agent credential store rather than into the skill's free-form prompt. If the author cannot provide the missing script or clear credential handling, treat this skill as incomplete and avoid using it.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a28yh3dgeyy730kzqcdk5qn84ba7q

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments