Generate images using Qwen Image API (Alibaba Cloud DashScope). Use when users request image generation with Chinese prompts or need high-quality AI-generated images from text descriptions.
Security Analysis
medium confidenceThe skill's code and instructions mostly match its stated image-generation purpose, but there are a few inconsistencies (undeclared config/env access and missing dependency/install details) that warrant caution before installing.
The name, description, and included script all implement Qwen Image generation via DashScope (requests to dashscope.aliyuncs.com with a Bearer token). Requiring the 'uv' runner is consistent with the SKILL.md usage. However, the SKILL.md instructs the agent to read ~/.openclaw/openclaw.json for API keys but the skill metadata does not declare any required config paths or primary credential — this mismatch should be clarified.
Runtime instructions direct the agent to search for API keys in ~/.openclaw/openclaw.json (models.providers.bailian.apiKey or skills."qwen-image".apiKey) or the DASHSCOPE_API_KEY env var. Reading the user's OpenClaw config is relevant for obtaining a stored API key, but it is not declared in the manifest and could expose other stored keys if the agent reads the full file. Otherwise, the SKILL.md stays within the image-generation task (extract MEDIA_URL line, do not download unless asked).
The install uses a Homebrew formula 'uv' which matches the declared required binary and is a low-risk, standard install method. However, the Python script depends on the 'requests' package (commented in the file) but there is no install specification to install Python dependencies; that will cause runtime failures unless the environment already has the dependency. No high-risk external download URLs are used.
The manifest lists no required environment variables or primary credential, yet both SKILL.md and the script expect an API key via DASHSCOPE_API_KEY or an entry in ~/.openclaw/openclaw.json. The skill could read user configuration to locate keys; this access should be declared explicitly. Also verify that the agent will only read the specific field (models.providers.bailian.apiKey or skills."qwen-image".apiKey) rather than scanning the entire config for other secrets.
The skill does not request permanent presence (always:false) and does not modify other skills or system configuration. It prints URLs or saves files only when explicitly asked. No privileged persistence behavior was detected.
Guidance
This skill appears to implement Qwen Image generation and talks to the DashScope API, but there are a few things to check before installing: 1) Confirm you are comfortable the agent will read ~/.openclaw/openclaw.json for the API key — ask the author to explicitly declare that config path and to state exactly which JSON fields will be accessed (so it doesn't scan for other secrets). 2) Prefer setting a dedicated DASHSCOPE_API_KEY environment variable (not a general-purpose secret) to limit exposure. 3) Ensure the runtime environment has Python 3.10+ and the 'requests' package, or ask the author to add a pip install step to the install spec. 4) The install uses the Homebrew 'uv' formula — verify this formula is the expected one in your environment. 5) If you need stronger isolation, run the script in a sandboxed environment or with a scoped API key. If the author can update the manifest to declare required config paths/env vars and include Python dependencies, the remaining concerns will be reduced.
Latest Release
v1.0.0
- Initial release of the qwen-image skill. - Generates high-quality AI images using the Alibaba Cloud Qwen Image API (DashScope). - Supports both Chinese and English text prompts. - Provides various image sizes and advanced options such as negative prompts and watermarking. - Returns image URLs for easy viewing; local saving is available by request. - Automatic extraction and markdown rendering of images from script output.
More by @Robin797860
Published by @Robin797860 on ClawHub
