← Back to Skills Marketplace
92
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install volc-image-gen
Description
Use Volc Engine AI to generate, edit, batch produce, and create variations of images with customizable styles and sizes.
Usage Guidance
Things to check before installing/using this skill:
1) Confirm the registry metadata: the package clearly requires VOLC_API_KEY (and optionally VOLC_API_BASE/VOLC_IMAGE_MODEL) but the top-level listing claimed no env vars. Ask the publisher or marketplace to correct the listing if necessary.
2) Treat VOLC_API_KEY as sensitive: grant it only if you trust the Volc Engine service and the skill's author. The skill will send images (including local files you supply) to the external Volc API.
3) Be cautious with local file paths: the skill will read local images and upload them (Base64) to the remote API. Do not pass paths to sensitive files or directories you don't want transmitted.
4) Inspect SKILL.md for hidden characters (the pre-scan found unicode control characters). Prefer a clean copy and consider scanning files for invisible/control characters before running.
5) Run tests and initial usage in an isolated environment (container or VM) and with a limited/test API key to avoid accidental data leakage or unexpected costs.
6) If you need stronger assurance, request source provenance: a trustworthy repository URL, maintainer identity, and release signatures. The included GitHub link in docs should be verified manually.
Overall: behavior is consistent with an image-generation skill, but the metadata mismatch and the control-character finding merit caution — treat this as suspicious until those issues are resolved.
Capability Analysis
Type: OpenClaw Skill
Name: volc-image-gen
Version: 1.0.0
The skill bundle contains a significant security vulnerability in 'src/utils.js' within the 'loadImage' function, which allows for arbitrary file reading from the host system. Because the function does not sanitize or restrict the file path provided in the 'image' parameter, an attacker or a manipulated agent could read sensitive files (e.g., /etc/passwd, ~/.ssh/id_rsa) and exfiltrate them as Base64 data to the configured API endpoint (defaulting to Volcengine). While this is presented as a feature for processing local images, the lack of path validation constitutes a high-risk vulnerability. No explicit evidence of intentional malice or hardcoded exfiltration targets was found.
Capability Assessment
Purpose & Capability
The code, SKILL.md, README, and skill.json consistently implement a Volc Engine image-generation skill that requires a VOLC_API_KEY and calls the Volc Engine API. That capability matches the name/description. However, the registry-level metadata provided to this evaluation (top-level summary) claimed "Required env vars: none" and "Primary credential: none", which contradicts skill.json and the SKILL.md instructions that require VOLC_API_KEY (and optionally VOLC_API_BASE and VOLC_IMAGE_MODEL). This metadata mismatch is an incoherence you should resolve before trusting the listing.
Instruction Scope
Runtime instructions and code are narrowly scoped to image generation and editing. They instruct npm install, setting VOLC_API_KEY in shell rc files, and calling the Volc Engine images endpoint. Important operational behavior: loadImage() will read local file paths and convert them to Base64 and the skill will upload that data to the external Volc API. That file-read/upload behavior is expected for an image-edit feature but is a privacy-sensitive action and should be explicit to users (SKILL.md does not clearly warn that local files will be transmitted to the external service).
Install Mechanism
No external download/install spec is present; this is an instruction-plus-source package with a package.json and normal npm deps (axios, p-limit, node-cache). No surprising or high-risk install URLs, archives, or obfuscated install steps were found.
Credentials
The skill requires a sensitive credential (VOLC_API_KEY) which is appropriate for calling the Volc Engine API. However, the top-level registry metadata in the evaluation stub showing "Required env vars: none" contradicts the skill.json and SKILL.md which declare VOLC_API_KEY as required. This discrepancy is concerning: either the registry entry is incomplete/misconfigured or the skill was published without accurately declaring credentials it needs. Aside from the API key and optional base/model vars, no unrelated secrets are requested.
Persistence & Privilege
The skill does not request always:true or any elevated persistent presence. It does write image files to /tmp/openclaw when saving downloads — that is reasonable for its purpose and scoped to a temporary directory. It does not attempt to modify other skills or global agent settings.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install volc-image-gen - After installation, invoke the skill by name or use
/volc-image-gen - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
volc-image-gen v1.0.0
- 初始版本发布,支持火山引擎方舟平台的 AI 图像生成
- 实现文生图、图生图、批量生成和变体生成功能
- 提供7种预定义风格选择
- 支持命令行并发控制与智能重试(指数退避)
- 内建1小时自动缓存机制
- 完整API参数说明和单元测试支持
Metadata
Frequently Asked Questions
What is Volc Image Gen?
Use Volc Engine AI to generate, edit, batch produce, and create variations of images with customizable styles and sizes. It is an AI Agent Skill for Claude Code / OpenClaw, with 92 downloads so far.
How do I install Volc Image Gen?
Run "/install volc-image-gen" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Volc Image Gen free?
Yes, Volc Image Gen is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Volc Image Gen support?
Volc Image Gen is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Volc Image Gen?
It is built and maintained by rfdiosuao (@rfdiosuao); the current version is v1.0.0.
More Skills