← Back to Skills Marketplace
459
Downloads
1
Stars
2
Active Installs
1
Versions
Install in OpenClaw
/install wan
Description
Generate images using Alibaba DashScope wan2.6-t2i model, download to Desktop, and upload to catbox.moe image hosting. Use when the user asks to generate, cr...
Usage Guidance
This skill appears to do what it says (call Alibaba DashScope to generate images and upload them to catbox.moe) but there are a few things to check before installing: 1) The SKILL.md requires DASHSCOPE_API_KEY but the registry metadata lists no required env vars — ask the publisher to correct the metadata so you know beforehand what secret will be used. 2) SKILL.md contains a literal-looking API key in an example; do not assume it is safe. Treat it as a possible leaked secret and ask the maintainer to remove or redact it. 3) The workflow writes images to your Desktop and uploads them to a public third-party host (catbox.moe). Confirm you are comfortable with generated images being stored publicly and that no sensitive content will be uploaded. 4) Verify the DashScope endpoint (dashscope-intl.aliyuncs.com) is the correct official API and use a scoped or disposable API key for initial testing. 5) Consider updating the skill to prompt the user explicitly before writing files or uploading, and to avoid embedding credentials in docs. If the publisher clarifies the env var requirement and removes the hardcoded example key, the inconsistencies would be resolved.
Capability Analysis
Type: OpenClaw Skill
Name: wan
Version: 1.0.0
The skill is classified as suspicious due to several risky capabilities, even though its stated purpose (image generation, download, upload) appears benign. The `SKILL.md` instructs the AI agent to handle a sensitive `DASHSCOPE_API_KEY` by 'asking the user', which creates a direct prompt injection surface for an attacker to potentially extract the key from the agent. Additionally, the skill directly executes powerful shell commands like `curl` for network operations and `python3 -c` for JSON parsing, which, while used benignly here, represent significant execution capabilities that could be exploited if user input were ever mishandled. Finally, the skill uploads content to `catbox.moe`, an external, untrusted image hosting service, adding an external dependency.
Capability Assessment
Purpose & Capability
The skill's description and SKILL.md consistently describe calling Alibaba DashScope (wan2.6-t2i) and uploading results to catbox.moe — that is coherent. However the registry metadata lists no required environment variables while the SKILL.md explicitly requires DASHSCOPE_API_KEY. The missing declaration is an incoherence that affects user expectations of needed credentials.
Instruction Scope
The instructions are concrete (curl to DashScope, download to ~/Desktop, upload to catbox.moe) and stay within the stated purpose. Concerns: (1) SKILL.md includes a literal-looking API key (sk-ec7...), which may be a real secret or a placeholder — embedding keys in docs is risky; (2) the instructions write files to the user's Desktop and upload them to a third-party public host (catbox.moe) without asking for explicit consent in the flow; (3) the guide assumes presence of python3 and standard paths but the registry did not declare those prerequisites.
Install Mechanism
Instruction-only skill with no install steps and no code files — low install risk.
Credentials
Only one credential (DASHSCOPE_API_KEY) is needed according to the SKILL.md which is proportionate. But the registry claims no required env vars, creating an inconsistency. The embedded example API key is an additional risk (possible accidental secret disclosure). No other unrelated credentials are requested.
Persistence & Privilege
always is false and the skill does not request persistent system-level privileges or modify other skills' configuration. Autonomous invocation is allowed (platform default) but not combined with other high-risk indicators here.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install wan - After installation, invoke the skill by name or use
/wan - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
wan-image-gen v1.0.0
- Initial release of the wan-image-gen skill.
- Generates images using Alibaba DashScope wan2.6-t2i model.
- Downloads generated images directly to the user’s Desktop.
- Uploads images to catbox.moe for a public, shareable link.
- Includes step-by-step example workflow and error handling tips.
Metadata
Frequently Asked Questions
What is wan-image-gen?
Generate images using Alibaba DashScope wan2.6-t2i model, download to Desktop, and upload to catbox.moe image hosting. Use when the user asks to generate, cr... It is an AI Agent Skill for Claude Code / OpenClaw, with 459 downloads so far.
How do I install wan-image-gen?
Run "/install wan" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is wan-image-gen free?
Yes, wan-image-gen is completely free (open-source). You can download, install and use it at no cost.
Which platforms does wan-image-gen support?
wan-image-gen is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created wan-image-gen?
It is built and maintained by Agentrix (@lxyd-ai); the current version is v1.0.0.
More Skills