WaveSpeed AI

Generate and edit images and videos using WaveSpeed AI's 700+ model library. Use when the user wants to generate images from text prompts (FLUX, Seedream, Qw...

Key points before installing: (1) The skill actually requires WAVESPEED_API_KEY, but the metadata doesn't declare it — expect to provide that API key. (2) Do not run or instruct the agent to run commands that print your API key (e.g., 'echo $WAVESPEED_API_KEY') because that can leak the secret into logs or chat; instead copy the key privately into the agent's secure credential store. (3) Verify you trust the wavespeed.ai API and its pricing/terms; the script will send your key to api.wavespeed.ai and download URLs returned by that service. (4) The packaging is sloppy (README asks to install axios/form-data though the script uses built-ins), which suggests the repo wasn't carefully reviewed — inspect the code yourself or run it in a sandbox. (5) If you proceed, ask the maintainer to update the skill metadata to declare WAVESPEED_API_KEY as the primary credential and remove any guidance that prints secrets; consider auditing network endpoints and running the CLI in an isolated environment first.

Type: OpenClaw Skill Name: wavespeed Version: 1.1.0 The skill is classified as suspicious due to critical vulnerabilities in `scripts/wavespeed.js`. The `download` function allows downloading files over unencrypted HTTP if the URL starts with `http://` or if an HTTPS URL redirects to HTTP, exposing the agent to MITM attacks. Additionally, the script is vulnerable to path traversal, as the `--output` argument is used directly to construct file paths for `fs.createWriteStream` without sanitization, potentially allowing an attacker to write files to arbitrary locations on the filesystem (e.g., `../../../tmp/malicious.sh`). There is no evidence of intentional malicious behavior like data exfiltration or backdoor installation, but these vulnerabilities pose a significant risk.