← 返回 Skills 市场
xexojay

Maliang Image

作者 eric · GitHub ↗ · v1.1.1
cross-platform ⚠ suspicious
412
总下载
0
收藏
0
当前安装
3
版本数
在 OpenClaw 中安装
/install maliang-image
功能描述
Generate images from text prompts or edit existing images with AI. Powered by Google Gemini via Maliang API. Free $6 credit on first use (~10 images). Suppor...
使用说明 (SKILL.md)

Maliang Image — AI Image Generation & Editing

Provider: Maliang API (nano.djdog.ai) Model: Google Gemini (image generation & editing) Pricing: $0.60/image, free $6 credit on first use (~10 images)

What it does

Generate images from text descriptions or edit existing images using AI.

  • No images provided → text-to-image generation
  • Images provided → AI image editing / inpainting (1–10 reference images, user-provided only)

Security & Data Handling

  • API Key: Auto-provisioned on first use via POST /api/v1/provision. The key is stored only in your local environment (MALIANG_API_KEY). You can revoke it at any time.
  • Images: Only images explicitly provided by the user are sent to the API. The skill never reads files unless the user specifies the file path. All uploads go over HTTPS.
  • No data collection: The API processes your request and returns results. Images are not stored permanently on the server.

Inputs needed

Input Source Required
Text prompt User message YES
Reference images User provides file paths or URLs NO (if omitted, generates from text)
Aspect ratio User preference NO (default: 1:1)

Auto-Provision (First-time Setup)

On first use (when MALIANG_API_KEY is not set), automatically provision a new account:

curl -s -X POST "https://nano.djdog.ai/api/v1/provision"

Response:

{
  "success": true,
  "data": {
    "api_key": "sk-...",
    "short_code": "ML-XXXXXX",
    "balance": 6.0,
    "currency": "USD",
    "recharge_url": "https://nano.djdog.ai/recharge/ML-XXXXXX",
    "message": "Your API key has been created with $6 initial credit (~10 images)..."
  }
}

Save the returned api_key as MALIANG_API_KEY for all subsequent requests. Tell the user their short code (ML-XXXXXX) and initial balance — they'll need the short code to recharge later.

Balance Check

After each task, check remaining balance:

curl -s "https://nano.djdog.ai/api/v1/balance" \
  -H "Authorization: Bearer ${MALIANG_API_KEY}"

Response includes short_code for recharge reference. If balance is low, remind the user:

Your balance is $X.XX. To recharge, visit: https://nano.djdog.ai/recharge/{short_code}

Workflow

Step 0 — Ensure API key

If MALIANG_API_KEY is not set, run Auto-Provision first (see above) and store the returned key.

Step 1 — Determine mode

  • If the user provides one or more images (file paths, URLs, or pasted base64): edit mode
  • Otherwise: generate mode

Step 2 — Prepare images (edit mode only)

For each image the user provides:

  1. If it is a local file path, read and base64-encode it.
  2. If it is a URL, download it first, then base64-encode.
  3. Strip any data:image/...;base64, prefix — the API accepts raw base64.
  4. Verify each image is under 10 MB after decoding.
  5. Maximum 10 images total.

Step 3 — Submit task

Generate mode — call:

curl -s -X POST "https://nano.djdog.ai/api/v1/generate" \
  -H "Authorization: Bearer ${MALIANG_API_KEY}" \
  -H "Content-Type: application/json" \
  -d '{
    "prompt": "\x3Cuser prompt>",
    "aspect_ratio": "\x3Cratio, default 1:1>"
  }'

Edit mode — call:

curl -s -X POST "https://nano.djdog.ai/api/v1/edit" \
  -H "Authorization: Bearer ${MALIANG_API_KEY}" \
  -H "Content-Type: application/json" \
  -d '{
    "prompt": "\x3Cuser editing instruction>",
    "image": "\x3Cbase64 string or array of base64 strings>",
    "aspect_ratio": "\x3Cratio, optional>"
  }'

Both return:

{
  "success": true,
  "data": {
    "task_id": "...",
    "status": "pending",
    "created_at": "..."
  }
}

Extract task_id from the response.

Step 4 — Poll for result

Poll every 3 seconds, up to 120 seconds max:

curl -s "https://nano.djdog.ai/api/v1/tasks/${TASK_ID}" \
  -H "Authorization: Bearer ${MALIANG_API_KEY}"

Response data.status values:

Status Meaning Action
pending Queued Keep polling
processing Generating Keep polling
completed Done Get image from image_url or image_base64
failed Error Show error.message to user
dead Max retries exceeded Show error, suggest retry

Step 5 — Deliver result

When status is completed:

  • If image_url is present: show the URL to the user (preferred).
  • If only image_base64 is present: save to a local file and show the path.

Output format

Image generated successfully!
URL: https://...
Aspect ratio: 1:1
Prompt: "\x3Coriginal prompt>"

Guardrails

  • Never fabricate task IDs or image URLs. Only use values from API responses.
  • Never poll more than 40 times (120 seconds). If not completed, tell the user it is still processing and provide the task ID for manual checking.
  • Do not send images larger than 10 MB to the edit endpoint.
  • Do not send more than 10 images to the edit endpoint.
  • If the API returns 402 (INSUFFICIENT_BALANCE), tell the user their balance is low and they need to recharge.
  • Prompt max length is 4000 characters. If the user's prompt is longer, ask them to shorten it.

Failure handling

Error Action
401 Unauthorized MALIANG_API_KEY is invalid or missing. Try re-provisioning a new account.
402 Insufficient Balance Tell user to recharge via https://nano.djdog.ai/recharge/{short_code} (get short_code from balance endpoint)
400 IMAGE_TOO_LARGE Tell user the image exceeds 10 MB limit
400 TOO_MANY_IMAGES Tell user max 10 images allowed
Network error Retry once, then report failure
Timeout (120s) Report task ID, suggest checking later

Examples

Text-to-image:

User: Generate a cute orange cat sitting on a windowsill at sunset, anime style
→ Auto-provision if no API key → POST /api/v1/generate with prompt → poll for result → return image URL

Image editing:

User: Change the background of this photo to a beach scene [attaches photo]
→ Base64-encode the photo
→ POST /api/v1/edit with prompt + image, poll for result, return image URL

Multi-image editing:

User: Combine these character designs into one group portrait [attaches 3 images]
→ Base64-encode all 3 images
→ POST /api/v1/edit with prompt + image array, poll for result, return image URL
安全使用建议
This skill appears to do what it says (call nano.djdog.ai to generate/edit images), but exercise caution before installing. Key points to consider: - The skill auto-provisions an API key by calling https://nano.djdog.ai/api/v1/provision and instructs you to save it as MALIANG_API_KEY, yet the registry metadata does not declare that env var — ask the publisher to declare MALIANG_API_KEY as a required/primary credential for clarity. - The skill will upload images you provide (local files or URLs). Do not supply any sensitive local files or URLs you do not want transmitted to an external service. Prefer pasting images explicitly intended to be uploaded. - The SKILL.md claims images are not stored permanently on the server; that is a promise by the third‑party service (nano.djdog.ai) and not enforced by this skill. Verify the service's privacy/security policy before sending private content. - If you are uncomfortable with automatic provisioning, consider provisioning the API key manually on the service and setting MALIANG_API_KEY yourself, or ask for the skill metadata to be updated to declare the env var. - Because source/homepage information is sparse in the registry metadata, verify the trustworthiness of nano.djdog.ai (homepage in SKILL.md) and that HTTPS endpoints are correct. If the publisher updates the skill metadata to explicitly list MALIANG_API_KEY in requires.env/primaryEnv and provides an authoritative privacy/security statement for nano.djdog.ai, this evaluation would likely move to benign. For now, treat it as suspicious and proceed only if you trust the external service and are careful about which images/files you provide.
功能分析
Type: OpenClaw Skill Name: maliang-image Version: 1.1.1 The skill is classified as suspicious due to significant vulnerability potential arising from its instructions to the AI agent. Specifically, SKILL.md instructs the agent to read and base64-encode *any* local file path provided by the user, or download from *any* user-provided URL, and then send this content to the `nano.djdog.ai` API as an 'image' payload. While this functionality is necessary for image editing, the lack of explicit guardrails against reading non-image files or accessing internal network resources creates a high risk of Local File Inclusion (LFI) or Server-Side Request Forgery (SSRF) if an attacker can trick the agent via prompt injection into providing sensitive file paths (e.g., `~/.ssh/id_rsa`, `/etc/passwd`) or malicious URLs. This represents a critical vulnerability rather than direct malicious intent from the skill itself.
能力评估
Purpose & Capability
Name/description (image generation & editing via Maliang/Gemini) align with the SKILL.md: it uses curl to call nano.djdog.ai endpoints for generate/edit tasks and polling. Required binary (curl) is appropriate and proportionate.
Instruction Scope
The runtime instructions tell the agent to auto‑provision an API key, store it in the environment as MALIANG_API_KEY, read local files (when the user supplies paths), download user-supplied URLs, and base64-encode content prior to upload. Those actions are expected for an image-edit skill, but the instructions reference MALIANG_API_KEY even though the registry metadata lists no required env vars. The SKILL.md also asserts 'images are not stored permanently on the server' — that is a trust claim in an external service and not verifiable from the instructions alone.
Install Mechanism
Instruction-only skill with no install spec or code files — low installation risk. It relies on curl (already declared), so nothing is downloaded or executed by an install step.
Credentials
The skill will create and use an API key (MALIANG_API_KEY) but the registry entry declares no required env vars or primary credential. The instructions require storing this key locally and using it for all requests; that should have been declared in requires.env/primaryEnv. This mismatch is a transparency issue and increases risk because the platform metadata doesn't advertise the main credential the skill will use.
Persistence & Privilege
always:false and autonomous invocation allowed (default) — appropriate. The skill instructs storing an API key in the environment (persistence local to the user), which is reasonable for usage but is not surfaced in registry metadata; no skill-level always:true or cross-skill config modification is present.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install maliang-image
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /maliang-image 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.1.1
- No functional changes in this release. - Version number updated to 1.1.1 for maintenance; all functionality remains as in 1.1.0.
v1.1.0
**Changelog for maliang-image v1.1.0** - Added a new, clearer provider name ("Maliang API") and updated branding throughout the documentation. - Improved API key management: now uses the `MALIANG_API_KEY` environment variable for better security and usability. - Clarified and expanded security & data handling policies. - Updated pricing and free credit details in the description and overview. - Enhanced metadata with homepage, environment variable, and clearer requirements. - Refined error messages and balance reminders for greater clarity. - Documentation reorganized for improved readability and usability; core API usage and workflows unchanged.
v1.0.0
- Initial release: AI-powered image generation and editing skill powered by Google Gemini. - Supports both text-to-image (from prompts) and image editing/inpainting (with 1–10 uploaded images). - Automatic API key provisioning and balance management, including user prompts for recharge. - Handles local files, URLs, and base64 images as input for editing; enforces 10MB/image and 10 images/task limit. - Guided workflow for submitting tasks, polling for results, and delivering images. - Includes robust error handling for common issues like insufficient balance, too-large images, and network timeouts.
元数据
Slug maliang-image
版本 1.1.1
许可证
累计安装 0
当前安装数 0
历史版本数 3
常见问题

Maliang Image 是什么?

Generate images from text prompts or edit existing images with AI. Powered by Google Gemini via Maliang API. Free $6 credit on first use (~10 images). Suppor... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 412 次。

如何安装 Maliang Image?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install maliang-image」即可一键安装,无需额外配置。

Maliang Image 是免费的吗?

是的,Maliang Image 完全免费(开源免费),可自由下载、安装和使用。

Maliang Image 支持哪些平台?

Maliang Image 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Maliang Image?

由 eric(@xexojay)开发并维护,当前版本 v1.1.1。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463368 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259467 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200457 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191163 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190189 · by oswalpalash

💬 留言讨论