Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Volcengine Ai
v1.0.0火山引擎AI生成与理解API。让Agent能够调用火山引擎方舟的AI能力:图片生成(Seedream-5.0-lite)、视频生成(Seedance-1.5-pro)、图片理解、视频理解。使用前需配置API密钥(VOLCENGINE_API_KEY)。支持异步任务查询。
⭐ 0· 49·1 current·1 all-time
by@zzhimin
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description and the runtime instructions consistently describe calling Volcengine/ArK visual APIs (image/video generation and understanding). However, the registry metadata declares no required env vars or primary credential while the SKILL.md clearly instructs the user to set VOLCENGINE_API_KEY — this mismatch is notable.
Instruction Scope
SKILL.md instructs exporting a specific example API key (looks like a real UUID) and even advises appending it to ~/.bashrc (persistent storage of a secret). The curl examples reference API endpoints and include paths with spaces (e.g., "visual generation") which look malformed/typos. The instructions also hardcode an example API key value rather than using a placeholder.
Install Mechanism
Instruction-only skill with no install spec or code files — minimal install risk. Nothing is written to disk by an installer because there is no installer.
Credentials
The runtime docs require a single API key (VOLCENGINE_API_KEY), which is proportionate for this API integration — but the registry metadata does not declare it, and the SKILL.md includes a concrete example key. Recommending persistence to ~/.bashrc increases risk of secret leakage. Also the domain in examples (ark.cn-beijing.volces.com) and malformed paths should be verified to ensure they point to the intended service.
Persistence & Privilege
The skill does not request always:true and is user-invocable; it does not claim system-wide persistence beyond advising the user to export the API key. No other privilege escalation or modification of other skills is requested.
What to consider before installing
This SKILL.md appears to be an instruction-only integration for Volcengine's visual APIs, but there are several red flags you should address before using it:
- Do not copy the example API key from the README into your environment; treat it as potentially leaked or just a placeholder. Replace with your own key only after verifying the skill.
- The registry metadata did not declare VOLCENGINE_API_KEY as a required credential — confirm with the skill author or source that the skill truly needs that env var and update metadata accordingly.
- Verify the API endpoint domain and URL paths in the curl examples. The paths contain spaces (likely typos) and the hostname (ark.cn-beijing.volces.com) is unusual; confirm these point to the official Volcengine API endpoints.
- Avoid storing secrets in plaintext files like ~/.bashrc if you can; use a secrets manager or at least limit file permissions and consider session-only environment variables.
- If you need higher confidence: ask the publisher for an official homepage/source repo, corrected SKILL.md with placeholders (not real keys), and an updated registry manifest declaring VOLCENGINE_API_KEY as required. If the publisher cannot provide these, treat the skill as suspicious and avoid installing.Like a lobster shell, security has layers — review code before you run it.
latestvk9725czkf0rewsssfnvzqytg6584ft1e
License
MIT-0
Free to use, modify, and redistribute. No attribution required.