NexPix — Cloudflare Image Generation

AI image generation via Cloudflare Workers AI (free tier, FLUX models) with premium EvoLink fallback. Use when generating images from text prompts, creating...

Things to verify before installing: - Metadata mismatch: the registry claimed no credentials, but SKILL.md and the code require a Cloudflare Workers AI token and optionally an EvoLink API key. Expect the skill to read those from CF_WORKERS_AI_TOKEN or ACCESS/cloudflare-workers-ai.env and ACCESS/evolink.env. If you don't want it reading files in ~/.openclaw/workspace/ACCESS, do not install or inspect code first. - Hard-coded Cloudflare account: nexpix.js contains a hard-coded CF_ACCOUNT_ID. Confirm whether you must replace it with your own account id; otherwise API calls may be directed to someone else's account (privacy/cost implications). - Auto-attach behavior: the skill prints MEDIA:<path> and saves images to ~/.openclaw/media/. OpenClaw will auto-attach/send those images to the active channel (Discord/Telegram). If automatic upload of generated images is undesirable, avoid enabling integration or modify the code to require explicit upload. - Secrets handling and permissions: store tokens with least privilege and check ACCESS/ files' permissions. Consider using environment variables instead of loose files in workspace if you prefer. - Unknown origin: no homepage and the repository/author are minimal; if you need higher assurance, review the full nexpix.js (the provided file was truncated in output) and any EvoLink endpoints to ensure no hidden endpoints or unexpected data exfiltration occur. - Test safely: run the skill in an isolated environment (throwaway account, container, or VM) and monitor outbound network traffic before giving it production credentials. If you want, I can (a) scan the remaining truncated part of nexpix.js for EvoLink calls and unexpected hosts, (b) produce a list of exact files/lines that read secrets or print MEDIA:, or (c) suggest minimal code edits to remove the hard-coded account id and make token requirements explicit.

Type: OpenClaw Skill Name: nexpix Version: 1.0.0 The NexPix skill bundle is a legitimate tool for generating images using Cloudflare Workers AI and the EvoLink API. The code in `nexpix.js` correctly implements routing logic, quota tracking, and secure credential handling by reading from the expected OpenClaw `ACCESS/` directory. While it contains a hardcoded Cloudflare Account ID as a default, this does not pose a security risk as API tokens are validated by Cloudflare against the specific account. The shell script `scripts/deploy-worker.sh` uses standard `wrangler` commands for deployment, and the `SKILL.md` instructions are strictly aligned with the stated image generation purpose without any signs of prompt injection or malicious intent.