← 返回 Skills 市场

Cloudflare Image Generation

Name: Cloudflare Image Generation
Author: expysf98

作者 EXPYSF98 · GitHub ↗ · v1.0.0

cross-platform ⚠ suspicious

1223

总下载

当前安装

版本数

在 OpenClaw 中安装

/install cloudflare-image-gen

功能描述

Generate images using Cloudflare Workers AI flux-1-schnell model. Use when user requests image generation with text-to-image using Cloudflare Workers API.

使用说明 (SKILL.md)

Cloudflare Image Generation

This skill generates images using Cloudflare Workers AI @cf/black-forest-labs/flux-1-schnell model.

Credentials

Account ID: 1e89d3ce76cbfef3b5c340e3984b7a52
Token: aCTA2KaKa1n3ayFDL-LPmZ-JgUC0HHgA5Msy18Bk
Model: @cf/black-forest-labs/flux-1-schnell

Usage

Run the script directly:

python3 /home/ubuntu/.openclaw/workspace/skills/cloudflare-image-gen/scripts/generate_image.py "your prompt here" -o output.png

Or use the Python function:

import sys
sys.path.insert(0, '/home/ubuntu/.openclaw/workspace/skills/cloudflare-image-gen/scripts')
from generate_image import generate_image

output_path = generate_image("a black horse")

Output

The script saves the generated image as PNG and returns the file path. Send the image to the user via Telegram.

安全使用建议

Do not install or run this skill as-is. It embeds a Cloudflare bearer token and account ID in SKILL.md and the script — credentials should never be hard-coded in shared skills. If you are the owner and intend to use this skill safely: (1) remove the embedded token and require users to supply their own credentials via environment variables or a secure secrets mechanism; (2) replace shell-based curl with a safe HTTP call (e.g., python requests or subprocess.run with a list of arguments) to avoid shell injection risks from untrusted prompts; (3) avoid instructing sending images via Telegram unless the skill declares and uses Telegram credentials securely; (4) if the included token might be real, assume it is compromised and rotate/revoke it immediately. If you need help making these fixes, request a version that uses environment variables for credentials and safe HTTP calls.

功能分析

Type: OpenClaw Skill Name: cloudflare-image-gen Version: 1.0.0 The skill is classified as suspicious due to a critical shell injection vulnerability in `scripts/generate_image.py`. The `subprocess.run(cmd, shell=True)` call embeds user-controlled input (`prompt`) directly into a `curl` command string without proper sanitization, allowing an attacker to execute arbitrary shell commands. Additionally, a Cloudflare API token (`aCTA2KaKa1n3ayFDL-LPmZ-JgUC0HHgA5Msy18Bk`) is hardcoded in both `SKILL.md` and `scripts/generate_image.py`, posing a credential exposure risk.

能力评估

ℹ Purpose & Capability

The name/description (Cloudflare image generation) match the included script which calls Cloudflare's AI endpoint; functionality is coherent. However, instead of asking the user to provide their own Cloudflare credentials, the skill contains hard-coded Account ID and Token in SKILL.md and the script, which is unexpected for a shared skill.

⚠ Instruction Scope

Runtime instructions reference absolute paths under /home/ubuntu/.openclaw and explicitly instruct sending the result via Telegram even though no Telegram credentials or integration are declared. The script writes API responses to /tmp/cf_response.json and uses hardcoded credentials — these broaden the scope beyond a minimal image-generation helper.

✓ Install Mechanism

No install spec (instruction-only + a small script). Nothing is downloaded or installed by the skill itself.

⚠ Credentials

No required env vars are declared, yet a bearer token and account ID are embedded in both SKILL.md and the script. Publishing credentials inside the skill is disproportionate and risky — anyone with the skill can use that token. The skill also instructs sending images via Telegram without declaring or requesting Telegram credentials.

✓ Persistence & Privilege

The skill does not request always:true, does not modify other skills or system settings, and does not request elevated or persistent platform privileges.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install cloudflare-image-gen
安装完成后，直接呼叫该 Skill 的名称或使用 /cloudflare-image-gen 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Cloudflare-image-gen 1.0.0 initial release: - Added support for generating images using Cloudflare Workers AI flux-1-schnell model via API. - Provided command line and Python function usage for image generation from text prompts. - Images are saved as PNGs, with output file path returned for further use. - Instructions included for integrating image output with Telegram.

元数据

Slug cloudflare-image-gen

版本 1.0.0

许可证 —

累计安装 7

当前安装数 7

历史版本数 1

常见问题