ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

qwen-image-gen

v0.1.0

基于阿里云百炼 Qwen-Image 文生图模型的生图 skill。支持同步生成、异步任务轮询、下载生成结果到本地。 当用户需要根据提示词生成图片、批量出图、指定尺寸/比例,或继续查询已有图片生成任务时,使用此 skill。

0· 98·0 current·0 all-time
byWei Zhou@zhouweico
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill is an image-generation client for Aliyun's Qwen-Image service. It requires Node and a DASHSCOPE_API_KEY, references dashscope.aliyuncs.com as the API host, and includes code to call the documented endpoints — these are appropriate for the described purpose.
Instruction Scope
SKILL.md instructs the agent to set DASHSCOPE_API_KEY, optionally use config.json, run the provided Node script, and download outputs to outputs/. The instructions only reference files and env vars relevant to configuring and running the image-generation flow (no unrelated file reads or external endpoints).
Install Mechanism
There is no install spec (instruction-only behavior plus an included Node script). The script relies on Node >=18 and built-in fetch; no external download/install from untrusted URLs or package registries occurs. Risk from install mechanism is low.
Credentials
The only required credential is DASHSCOPE_API_KEY (primaryEnv). That matches the documented API usage. The code may also read optional environment keys (e.g., QWEN_IMAGE_MODEL) and a local config.json; these are reasonable and proportional to configuration needs.
Persistence & Privilege
The skill does not request permanent always:true inclusion and does not attempt to modify other skills or system-wide settings. It runs as a local Node script and writes outputs to a local outputs/ directory as expected.
Assessment
This skill runs a local Node script that will call Aliyun's DashScope (Qwen-Image) APIs and download generated PNGs to an outputs/ directory. Before installing/providing credentials: 1) confirm the DASHSCOPE_API_KEY is the correct key for the intended Aliyun region (the README warns region keys/URLs cannot be mixed), 2) review the included scripts (they are present and readable) and run in an isolated environment if unsure, 3) store the API key in an environment variable rather than committing it to a repo or config file, and 4) be aware that generating images incurs cost per image per the pricing table. If you do not trust the source, do not provide high-privilege credentials or run the script on sensitive systems.
scripts/qwen-image-gen.js:313
Environment variable access combined with network send.
!
scripts/qwen-image-gen.js:151
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk973y5pypw0aqrpj0k3dq8jnbx83kdat

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode
EnvDASHSCOPE_API_KEY
Primary envDASHSCOPE_API_KEY

Comments