Comprehensive Meitu AI toolkit for image and video editing. Features include AI poster design, precise background cutout, virtual try-on, e-commerce product...
Security Analysis
high confidenceThe skill's declared requirements and runtime instructions are consistent with a Meitu CLI-based image/video editing tool: it needs the meitu CLI and Meitu API credentials and reads/writes project files as described.
The skill requires the meitu CLI and Meitu OpenAPI keys, and its SKILL.md directs the agent to call the CLI for image/video tasks — this aligns with the stated Meitu editing poster/video workflows. Required paths (openclaw.yaml, DESIGN.md, workspace) match the described 'project-mode' behavior.
Instructions ask the agent to read/write project files (~/.openclaw/workspace/visual/, ./openclaw.yaml, ./DESIGN.md) and to access credentials (env or ~/.meitu/credentials.json). This is coherent for project-mode workflows but means the agent will persist observations and update project files; users should be aware that project files may be created/modified. The SKILL.md explicitly forbids executing user-supplied scripts and claims safe argument passing to the CLI.
No automated install spec is included (instruction-only). The doc recommends a manual npm install -g meitu-cli if the binary is missing. This is lower-risk than automatic downloads or arbitrary code installs.
The skill only requests Meitu API credentials (MEITU_OPENAPI_ACCESS_KEY / MEITU_OPENAPI_SECRET_KEY) and access to a credentials file; that is proportionate to calling the Meitu service. No unrelated secrets or cloud credentials are requested.
The skill writes to project workspace and config files (openclaw.yaml, DESIGN.md, ~/.openclaw/workspace/visual/) to support 'project-mode' memory and outputs. always:false and no autonomous override are in place, but the skill can persist preferences/memory within those paths — review whether you want the agent to modify those local files.
Guidance
This skill appears internally consistent with its Meitu CLI purpose, but review these points before installing: (1) It will call the local 'meitu' binary and requires your Meitu API keys (env vars or ~/.meitu/credentials.json) — prefer environment variables in shared environments. (2) It may read and write project files (./openclaw.yaml, ./DESIGN.md) and a local visual workspace (~/.openclaw/workspace/visual/); if you do not want those files created/modified, avoid running the skill in that directory or remove write permissions. (3) The tool will upload images/videos to Meitu's API as part of generation — do not send sensitive or private images unless you accept that external transmission. (4) No automatic installer is run by the skill; if you manually install 'meitu-cli', verify the package/source first. (5) The SKILL.md and SECURITY.md state restrictions (no arbitrary script execution, safe CLI argument passing) — if you need higher assurance, inspect the meitu CLI binary provenance and avoid storing long-lived credentials in files.
Latest Release
v1.0.24
- No functional or documentation changes; version update only. - All file contents remain unchanged.
More by @meituskills
Published by @meituskills on ClawHub
