← Back to Skills Marketplace
740
Downloads
0
Stars
2
Active Installs
2
Versions
Install in OpenClaw
/install wavespeed
Description
Generate and edit images and videos using WaveSpeed AI's 700+ model library. Use when the user wants to generate images from text prompts (FLUX, Seedream, Qw...
Usage Guidance
Key points before installing: (1) The skill actually requires WAVESPEED_API_KEY, but the metadata doesn't declare it — expect to provide that API key. (2) Do not run or instruct the agent to run commands that print your API key (e.g., 'echo $WAVESPEED_API_KEY') because that can leak the secret into logs or chat; instead copy the key privately into the agent's secure credential store. (3) Verify you trust the wavespeed.ai API and its pricing/terms; the script will send your key to api.wavespeed.ai and download URLs returned by that service. (4) The packaging is sloppy (README asks to install axios/form-data though the script uses built-ins), which suggests the repo wasn't carefully reviewed — inspect the code yourself or run it in a sandbox. (5) If you proceed, ask the maintainer to update the skill metadata to declare WAVESPEED_API_KEY as the primary credential and remove any guidance that prints secrets; consider auditing network endpoints and running the CLI in an isolated environment first.
Capability Analysis
Type: OpenClaw Skill
Name: wavespeed
Version: 1.1.0
The skill is classified as suspicious due to critical vulnerabilities in `scripts/wavespeed.js`. The `download` function allows downloading files over unencrypted HTTP if the URL starts with `http://` or if an HTTPS URL redirects to HTTP, exposing the agent to MITM attacks. Additionally, the script is vulnerable to path traversal, as the `--output` argument is used directly to construct file paths for `fs.createWriteStream` without sanitization, potentially allowing an attacker to write files to arbitrary locations on the filesystem (e.g., `../../../tmp/malicious.sh`). There is no evidence of intentional malicious behavior like data exfiltration or backdoor installation, but these vulnerabilities pose a significant risk.
Capability Assessment
Purpose & Capability
The skill's stated purpose (WaveSpeed image/video generation) matches the code and model list: the CLI talks to api.wavespeed.ai and exposes model aliases. However the registry metadata says no required environment variables or primary credential, while both SKILL.md and the script clearly require WAVESPEED_API_KEY. That discrepancy is incoherent and important: a user installing this skill would not be warned that a secret is needed.
Instruction Scope
SKILL.md instructs the agent to check the WAVESPEED_API_KEY env var (and even suggests running echo $WAVESPEED_API_KEY). Asking the agent/user to echo an API key risks accidental leakage into logs or chat. The instructions also say to check TOOLS.md and to 'ask the user' if no key is found; those are reasonable, but the explicit echo advice is risky and unnecessary for normal operation.
Install Mechanism
There is no install spec (instruction-only) which lowers install risk. Minor packaging inconsistencies: README suggests installing 'axios form-data' but the shipped script only uses built-in https/fs and package.json lists no dependencies. This looks like sloppy packaging rather than active malicious behavior.
Credentials
The code requires WAVESPEED_API_KEY (process.env.WAVESPEED_API_KEY) and will exit if it's not set, yet the skill metadata declares no required env vars or primary credential. The SKILL.md also asserts the key is 'already set in all Clawster containers' — an unverifiable and suspicious claim. The instruction to echo the env var could expose the secret; environment access is more privileged than the metadata indicates.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and is user-invocable. It does not attempt to persist itself or change system-wide settings. No elevated persistence privileges are requested.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install wavespeed - After installation, invoke the skill by name or use
/wavespeed - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.1.0
Added API key setup section with sign-up link, created README
v1.0.0
Initial release. Text-to-image, image editing (face-preserving nano-banana-pro), text-to-video, image-to-video. 16 model aliases including FLUX, Kling, Veo, Sora, Seedream.
Metadata
Frequently Asked Questions
What is WaveSpeed AI?
Generate and edit images and videos using WaveSpeed AI's 700+ model library. Use when the user wants to generate images from text prompts (FLUX, Seedream, Qw... It is an AI Agent Skill for Claude Code / OpenClaw, with 740 downloads so far.
How do I install WaveSpeed AI?
Run "/install wavespeed" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is WaveSpeed AI free?
Yes, WaveSpeed AI is completely free (open-source). You can download, install and use it at no cost.
Which platforms does WaveSpeed AI support?
WaveSpeed AI is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created WaveSpeed AI?
It is built and maintained by Ilya (@al1enjesus); the current version is v1.1.0.
More Skills