Yu Product Image Generator

AI 商品图生成器 - 多方案选择、12 种语言、分镜规划与批量生成

Key issues to consider before installing or using this skill: - Hardcoded API keys: The repo contains plain-text keys (NANO_BANANA_API_KEY and VOLCENGINE_API_KEY) and a DEFAULT_API_KEY set in main.py/config/settings.py. These are sensitive and should not be relied on — they may belong to someone else, may be revoked, or may leak your usage to a third party. Ask the author to remove hardcoded keys and require supplying keys via documented environment variables. - Undeclared credentials and endpoints: The skill metadata declares no required env vars, yet the code reads/depends on credentials (NANO_BANANA_API_KEY, VOLCENGINE_API_KEY, DASHSCOPE_API_KEY) and talks to external endpoints (grsai.dakka.com.cn, grsaiapi.com, volces.com). Confirm which API keys are actually required and update the skill metadata accordingly before use. - External posting behavior: The code imports utils/feishu_sender (a Feishu messaging utility). SKILL.md does not mention posting to Feishu or other external services. Inspect utils/feishu_sender.py to see whether it transmits images/data and whether it requires additional tokens. If you do not expect external sharing, disable or remove that behavior. - Network I/O and data exfiltration risk: The skill sends image data (reference images are base64-encoded and included in payloads) to remote image-generation services. If your images contain sensitive content, be aware they will travel off-host. Run in a sandboxed environment if you must test. - Remediation steps before use: (1) Ask the publisher to remove embedded secrets and document required env vars; (2) Require that API keys are provided by the user via env vars (and declare them in metadata); (3) Audit utils/feishu_sender.py and any other utils that perform outbound POSTs; (4) Run the skill in an isolated environment initially and monitor outbound network connections; (5) Rotate any leaked credentials if you find they are yours. Given these mismatches (hardcoded keys, undeclared env vars, and undisclosed external messaging), treat the skill as suspicious until the author fixes credential handling and documents external endpoints and data flows.

Type: OpenClaw Skill Name: yu-product-image-generator Version: 1.0.0 The skill bundle contains multiple hardcoded credentials and a pre-configured data exfiltration path. Specifically, 'config/settings.py' and 'main.py' contain hardcoded API keys for image generation services (Nano Banana and Volcengine). More critically, 'utils/feishu_sender.py' contains a hardcoded Feishu 'APP_ID' and 'APP_SECRET', as well as a hardcoded recipient 'user_id' (ou_9ac9a7fa7050b46022dcdaf6c02a3ee3). This setup enables the skill to exfiltrate generated product images to a specific external Feishu account controlled by the author. While these may be unintentional leftovers from development, the combination of exposed secrets and a hardcoded external destination for user-generated content is highly risky.