Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
wan-image-gen
v0.1.1基于阿里云百炼 Wan 图像生成模型的生图 skill。支持文生图任务提交、轮询任务状态、下载生成图片到本地。 当用户需要根据提示词生成图片、批量出图、指定尺寸或继续查询已有图片生成任务时,使用此 skill。
⭐ 0· 79·0 current·0 all-time
byWei Zhou@zhouweico
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description describe an Aliyun Wan image-generation client; required binary (node) and required env (DASHSCOPE_API_KEY) match the documented Authorization: Bearer usage. Declared behavior (submit task, poll, download) aligns with code and documentation.
Instruction Scope
SKILL.md and scripts instruct only to read an optional config.json, environment variables, call the Aliyun DashScope endpoints, poll tasks, and save images to outputs/. There are no instructions to read unrelated system files or exfiltrate data to unexpected third-party endpoints. Note: the script will read config.json (apiKey/baseUrl) if present and honors an optional WAN_IMAGE_MODEL env var (not declared in metadata).
Install Mechanism
There is no install spec; the skill is a Node.js script and relies on an existing Node >=18 runtime. No downloads from arbitrary URLs or archive extraction are present in the package.
Credentials
Only one required credential (DASHSCOPE_API_KEY) is requested, which is appropriate. Minor inconsistency: the script also accepts an apiKey inside config.json and an optional WAN_IMAGE_MODEL env var (used by the script but not listed in metadata). Ensure you don't accidentally place other secrets in config.json.
Persistence & Privilege
always is false and the skill does not request system-wide privileges or modify other skills. It writes outputs/ and config.json (user-managed) only, which is consistent with its purpose.
Assessment
This skill appears to do what it claims: it needs a DashScope/Aliyun API key (DASHSCOPE_API_KEY) and Node.js, then it will submit image-generation tasks to the configured baseUrl and download images into an outputs/ folder. Before installing: (1) verify DASHSCOPE_API_KEY is a key you intend to use here and not a higher-privilege secret; (2) check config.json (if you create one) for accidentally-stored secrets or a modified baseUrl — point it to the official endpoint (dashscope.aliyuncs.com) if you trust Aliyun; (3) be aware the script will create/write files under its outputs/ directory; (4) if you see unexpected network endpoints in your copy of the code or config, do not run it and rotate any exposed keys. If you want extra assurance, run the script in an isolated environment (container) and inspect network requests (or review the full script) before providing real API credentials.scripts/wan-image-gen.js:265
Environment variable access combined with network send.
scripts/wan-image-gen.js:155
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk9794n2p84q911ewjp93x4anx583jg9c
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binsnode
EnvDASHSCOPE_API_KEY
Primary envDASHSCOPE_API_KEY