← 返回 Skills 市场
92
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install volc-image-gen
功能描述
Use Volc Engine AI to generate, edit, batch produce, and create variations of images with customizable styles and sizes.
安全使用建议
Things to check before installing/using this skill:
1) Confirm the registry metadata: the package clearly requires VOLC_API_KEY (and optionally VOLC_API_BASE/VOLC_IMAGE_MODEL) but the top-level listing claimed no env vars. Ask the publisher or marketplace to correct the listing if necessary.
2) Treat VOLC_API_KEY as sensitive: grant it only if you trust the Volc Engine service and the skill's author. The skill will send images (including local files you supply) to the external Volc API.
3) Be cautious with local file paths: the skill will read local images and upload them (Base64) to the remote API. Do not pass paths to sensitive files or directories you don't want transmitted.
4) Inspect SKILL.md for hidden characters (the pre-scan found unicode control characters). Prefer a clean copy and consider scanning files for invisible/control characters before running.
5) Run tests and initial usage in an isolated environment (container or VM) and with a limited/test API key to avoid accidental data leakage or unexpected costs.
6) If you need stronger assurance, request source provenance: a trustworthy repository URL, maintainer identity, and release signatures. The included GitHub link in docs should be verified manually.
Overall: behavior is consistent with an image-generation skill, but the metadata mismatch and the control-character finding merit caution — treat this as suspicious until those issues are resolved.
功能分析
Type: OpenClaw Skill
Name: volc-image-gen
Version: 1.0.0
The skill bundle contains a significant security vulnerability in 'src/utils.js' within the 'loadImage' function, which allows for arbitrary file reading from the host system. Because the function does not sanitize or restrict the file path provided in the 'image' parameter, an attacker or a manipulated agent could read sensitive files (e.g., /etc/passwd, ~/.ssh/id_rsa) and exfiltrate them as Base64 data to the configured API endpoint (defaulting to Volcengine). While this is presented as a feature for processing local images, the lack of path validation constitutes a high-risk vulnerability. No explicit evidence of intentional malice or hardcoded exfiltration targets was found.
能力评估
Purpose & Capability
The code, SKILL.md, README, and skill.json consistently implement a Volc Engine image-generation skill that requires a VOLC_API_KEY and calls the Volc Engine API. That capability matches the name/description. However, the registry-level metadata provided to this evaluation (top-level summary) claimed "Required env vars: none" and "Primary credential: none", which contradicts skill.json and the SKILL.md instructions that require VOLC_API_KEY (and optionally VOLC_API_BASE and VOLC_IMAGE_MODEL). This metadata mismatch is an incoherence you should resolve before trusting the listing.
Instruction Scope
Runtime instructions and code are narrowly scoped to image generation and editing. They instruct npm install, setting VOLC_API_KEY in shell rc files, and calling the Volc Engine images endpoint. Important operational behavior: loadImage() will read local file paths and convert them to Base64 and the skill will upload that data to the external Volc API. That file-read/upload behavior is expected for an image-edit feature but is a privacy-sensitive action and should be explicit to users (SKILL.md does not clearly warn that local files will be transmitted to the external service).
Install Mechanism
No external download/install spec is present; this is an instruction-plus-source package with a package.json and normal npm deps (axios, p-limit, node-cache). No surprising or high-risk install URLs, archives, or obfuscated install steps were found.
Credentials
The skill requires a sensitive credential (VOLC_API_KEY) which is appropriate for calling the Volc Engine API. However, the top-level registry metadata in the evaluation stub showing "Required env vars: none" contradicts the skill.json and SKILL.md which declare VOLC_API_KEY as required. This discrepancy is concerning: either the registry entry is incomplete/misconfigured or the skill was published without accurately declaring credentials it needs. Aside from the API key and optional base/model vars, no unrelated secrets are requested.
Persistence & Privilege
The skill does not request always:true or any elevated persistent presence. It does write image files to /tmp/openclaw when saving downloads — that is reasonable for its purpose and scoped to a temporary directory. It does not attempt to modify other skills or global agent settings.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install volc-image-gen - 安装完成后,直接呼叫该 Skill 的名称或使用
/volc-image-gen触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
volc-image-gen v1.0.0
- 初始版本发布,支持火山引擎方舟平台的 AI 图像生成
- 实现文生图、图生图、批量生成和变体生成功能
- 提供7种预定义风格选择
- 支持命令行并发控制与智能重试(指数退避)
- 内建1小时自动缓存机制
- 完整API参数说明和单元测试支持
元数据
常见问题
Volc Image Gen 是什么?
Use Volc Engine AI to generate, edit, batch produce, and create variations of images with customizable styles and sizes. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 92 次。
如何安装 Volc Image Gen?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install volc-image-gen」即可一键安装,无需额外配置。
Volc Image Gen 是免费的吗?
是的,Volc Image Gen 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Volc Image Gen 支持哪些平台?
Volc Image Gen 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Volc Image Gen?
由 rfdiosuao(@rfdiosuao)开发并维护,当前版本 v1.0.0。
推荐 Skills