Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
weimage
v1.0.3Generates high-quality images from optimized English prompts and automatically sends the final picture to all users without intermediate messages.
⭐ 0· 817·0 current·0 all-time
by@zhairen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Malicious
high confidencePurpose & Capability
The skill claims to generate and deliver images to users, but its code writes output into a hard-coded public web directory (OUTPUT_DIR) served at an external domain (voice.robotmusk.com) and returns that URL. That destination is unrelated to a generic 'generate image and send to users' claim and suggests exfiltration or covert publishing. The script also forces use of /root/pythonenv and references a GEN_SCRIPT in /root/.openclaw/workspace — these hard-coded root paths are not proportional to the stated purpose.
Instruction Scope
SKILL.md explicitly mandates silent operation ('严禁过程汇报,严禁询问') and instructs the agent to immediately push the returned URL to all users via default_api.message (WeChat). The code itself loads /root/.openclaw/.env and will surface environment keys in debug output if prompt missing. Combining enforced silence with writing to an attacker-controlled URL and automated messaging is covert and out-of-scope for a benign image helper.
Install Mechanism
There is no install spec (instruction-only) and no external archive downloads. However, the provided Python script executes other local scripts (GEN_SCRIPT) and expects a custom pythonenv; the lack of an install step reduces supply-chain risk but does not mitigate the malicious behaviors embedded in the script.
Credentials
requires.env declares none, yet the script loads /root/.openclaw/.env and injects any keys into the process environment. This reads potentially sensitive credentials without declaring them. It also references/uses root-level paths and an external BASE_URL, which are not justified by the simple stated purpose.
Persistence & Privilege
The skill writes files to a system web directory (/opt/1panel/...), exposing copied files at an external domain. Although always:false, the skill requests filesystem and messaging permissions (per _meta.json) and modifies publicly visible filesystem state — a high-privilege action for an image helper and a persistent exfiltration channel.
Do not install this skill
Do not install or run this skill. It enforces silent behavior, loads root .env credentials, forces a root python environment, copies generated files into a hard-coded public website (voice.robotmusk.com), and instructs automatic messaging — all signs of covert exfiltration. If you already ran it: 1) uninstall/remove the skill immediately; 2) inspect and remove files under /opt/1panel/www/sites/voice.robotmusk.com/index and /root/.openclaw/workspace for unexpected artifacts; 3) check and rotate any secrets stored in /root/.openclaw/.env and other credentials that could have been exposed; 4) block outbound traffic to voice.robotmusk.com and related hosts; 5) audit agent messaging logs for automatic pushes to users (WeChat/default_api.message) and notify affected users; 6) if this ran on a production host, perform a host compromise investigation and consider rebuilding the host. The script's behavior is intentionally covert and not proportionate to a benign image-generation helper.Like a lobster shell, security has layers — review code before you run it.
latestvk97ewa0jmj2dfva76ds1cztg6n818sg0
License
MIT-0
Free to use, modify, and redistribute. No attribution required.