功能描述

Generate images from text with a free-quota-first multi-provider workflow. Use this skill when a user asks for text-to-image generation that needs provider r...

使用说明 (SKILL.md)

Free Quota Image Skill

Name: free quota text to image
Author: chiayengu

\r

Overview\r

\r Use this skill to run a provider-agnostic text-to-image pipeline with free-quota-first routing, token rotation, and prompt enhancement. \r

Workflow\r

\r

Load config from {baseDir}/assets/config.example.yaml or user-provided config.
Resolve provider order (--provider auto follows routing.provider_order).
Resolve model candidates per provider (requested -> z-image-turbo -> provider default).\r
Prepare prompt for each attempt:\r
- optionally auto-translate for target models\r
- optionally optimize prompt with provider text model\r
Execute generation request.\r
On quota/auth failures, rotate token; if exhausted, move to next provider.\r
Repeat the generation flow when --count > 1, and rotate provider/token start position per image to spread load.
Return stable JSON output fields or direct URL output. \r

Commands\r

\r Install dependencies:

python -m pip install -r {baseDir}/scripts/requirements.txt

\r Run generation:\r \r

python {baseDir}/scripts/run_text2img.py --prompt "cinematic rainy tokyo alley" --json

\r Run with explicit provider/model:\r \r

python {baseDir}/scripts/run_text2img.py --prompt "a fox astronaut" --provider gitee --model flux-2 --json

\r Save image locally:\r \r

python {baseDir}/scripts/run_text2img.py --prompt "retro sci-fi city" --output ./out.png

Generate multiple images in one run:

python {baseDir}/scripts/run_text2img.py --prompt "anime passport portrait" --count 4 --json

\r

CLI contract\r

\r Use {baseDir}/scripts/run_text2img.py with the fixed contract: \r

--prompt (required)\r
--provider (auto|huggingface|gitee|modelscope|a4f|openai_compatible, default auto)
--model (default z-image-turbo)\r
--aspect-ratio (default 1:1)\r
--seed (optional int)\r
--steps (optional int)\r
--guidance-scale (optional float)\r
--enable-hd (flag)\r
--optimize-prompt / --no-optimize-prompt (default on)\r
--auto-translate / --no-auto-translate (default off)\r
--config (default {baseDir}/assets/config.example.yaml)
--output (optional output file path)
--count (number of images in one run, default 1)
--json (structured output) \r

Output contract\r

\r When --json is used, output these fields on success:\r \r

id\r
url\r
provider\r
model\r
prompt_original\r
prompt_final\r
seed\r
steps\r
guidance_scale\r
aspect_ratio\r
fallback_chain\r
elapsed_ms\r \r On failure, output structured error fields: \r
error_type\r
error\r
fallback_chain

When --count > 1, JSON output contains:

count
images (array of standard success payloads)
elapsed_ms \r

References\r

\r Read only what is needed:\r \r

Provider API wiring: references/provider-endpoints.md
Model coverage and fallback: references/model-matrix.md
Token rotation and date rules: references/token-rotation-policy.md
Prompt optimization pipeline: references/prompt-optimization-policy.md
OpenClaw setup details: references/openclaw-integration.md \r

Scope boundaries\r

\r Keep this skill focused on text-to-image core only.\r \r Do not add image editing, video generation, or cloud storage workflows in this skill.\r

安全使用建议

This skill implements the advertised multi-provider image pipeline but you should be cautious before installing or running it: - Secrets: the skill expects provider tokens (HF/Gitee/ModelScope/A4F/OpenAI-compatible) via config or environment variables (T2I_PEINTURE_*), but the registry entry did not list them. Do not place production secrets in repository files — use OpenClaw env injection or a vault. - .env reading: when run, the CLI will try to load .env files from the current and parent directories. Run it from a safe folder (not your repo root containing other secrets) or remove .env files you don't want read. - Network & privacy: prompt optimization and translation send your prompt text to third-party endpoints (e.g., https://text.pollinations.ai/openai and provider chat endpoints). If prompts contain sensitive info, disable prompt optimization/translation (CLI flags --no-optimize-prompt, --no-auto-translate) or review/host the services yourself. - Persistent state: exhausted-token metadata is written to ~/.codex/skills/.state/free-quota-image-skill/token_status.json. If you share your machine, be aware this file can reveal which tokens were used/exhausted. - Review configuration: inspect assets/config.example.yaml, references/provider-endpoints.md, and references/prompt-optimization-policy.md to confirm endpoints and behaviors before using. Provide only tokens you are willing to expose to the configured endpoints and prefer injected environment configs rather than committed files. If you want higher assurance, ask the skill author to: (1) declare required env vars in registry metadata, (2) avoid automatic .env loading or make it opt-in, and (3) document exactly which external endpoints will receive prompt text and under what conditions.

功能分析

Type: OpenClaw Skill Name: free-quota-image-skill Version: 1.0.0 The skill is suspicious due to critical vulnerabilities that could lead to arbitrary file writes and potential token exfiltration. The `scripts/run_text2img.py` script allows a user-controlled `--output` path for downloading images, which could be exploited for arbitrary file writes (e.g., overwriting sensitive system files or configuration). Additionally, the `load_config` and `_resolve_env_placeholders` functions in `scripts/run_text2img.py` process environment variables and user-specified config files, which, if controlled by an attacker, could redirect API calls (and associated tokens) to malicious endpoints (e.g., via `providers.openai_compatible.api_url` in `assets/config.example.yaml`). While the code's intent for these features is benign (saving images, configuring APIs), the lack of input sanitization or path restrictions makes them exploitable vulnerabilities.

能力评估

⚠ Purpose & Capability

The code and SKILL.md match the stated purpose (free-quota-first routing, token pooling, prompt optimization, multi-provider support). However the registry metadata lists no required environment variables or primary credential while the code and example config clearly expect provider tokens (T2I_PEINTURE_* placeholders) and an optional openai_compatible API URL. The omission of required env declarations in the registry is an inconsistency that could mislead users about secret handling needs.

⚠ Instruction Scope

SKILL.md documents the workflow and CLI, but the runtime instructions and code do more than simple image generation: prompt optimization and translation send user prompt text to external services (text.pollinations.ai and provider chat endpoints), the loader will read local .env files (run_text2img.load_dotenv checks multiple locations), and the tool persists exhausted-token state to a file under ~/.codex/skills/.state/. These actions are within the skill's image-generation scope but have privacy and secret-exposure implications that SKILL.md does not fully foreground.

✓ Install Mechanism

No automatic install spec in the registry; the README/ SKILL.md instructs installing minimal Python dependencies (requests, PyYAML) from scripts/requirements.txt. There are no downloads from untrusted URLs or archives in the install path — install risk is low and expected for a Python CLI tool.

⚠ Credentials

Although registry metadata reports no required env vars, the example config and openclaw-integration.md expect multiple provider tokens (T2I_PEINTURE_HF_TOKENS, T2I_PEINTURE_GITEE_TOKENS, T2I_PEINTURE_MODELSCOPE_TOKENS, T2I_PEINTURE_A4F_TOKENS, T2I_PEINTURE_OPENAI_COMPATIBLE_TOKENS) and an optional API URL. The skill will load .env files from working/parent dirs and substitute ${VAR} placeholders, meaning it can read secrets from the environment or .env files despite not declaring them — this mismatch is a proportionality/privacy concern.

ℹ Persistence & Privilege

The skill persists per-provider exhausted-token state to a user-writable path (default ~/.codex/skills/.state/free-quota-image-skill/token_status.json) and will create parent directories. It does not request always:true or modify other skills. Persisting token status is functionally reasonable for token rotation, but users should be aware of on-disk state and its location.

版本历史

v1.0.0

- Initial release of free-quota-image-skill. - Supports text-to-image generation via multiple providers, using a free-quota-first routing system. - Includes token pooling and automatic rotation on quota/auth failures; supports public API fallback for Hugging Face. - Provides prompt optimization, provider/model fallback, and batch image generation in one command. - Outputs structured JSON with stable fields for successful or failed generations. - Includes a CLI with flexible provider/model selection and configurable output options.

元数据

Slug free-quota-image-skill

版本 1.0.0

许可证 —

累计安装 1

当前安装数 1

历史版本数 1

常见问题

free quota text to image 是什么？

Generate images from text with a free-quota-first multi-provider workflow. Use this skill when a user asks for text-to-image generation that needs provider r... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 401 次。

如何安装 free quota text to image？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install free-quota-image-skill」即可一键安装，无需额外配置。

free quota text to image 是免费的吗？

是的，free quota text to image 完全免费（开源免费），可自由下载、安装和使用。

free quota text to image 支持哪些平台？

free quota text to image 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 free quota text to image？

由 ChiayenGu（@chiayengu）开发并维护，当前版本 v1.0.0。

free quota text to image