Nova Canvas — 技能工具
v1.1.0Generate images using Amazon Nova Canvas via AWS Bedrock. Supports multiple AWS auth methods: environment variables, credentials file, named profiles, IAM in...
0· 69·0 当前·0 累计
by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's code and instructions generally match its stated purpose (calling AWS Bedrock Nova Canvas), but registry metadata omits the environment variables and dependency the implementation actually uses and there are small inconsistencies in auth-detection behavior — review credentials and provenance before installing.
评估建议
This skill appears to do what it says: call AWS Bedrock Nova Canvas and save images. Before installing, consider: (1) provenance — the source is unknown, so review the code yourself or run in an isolated environment; (2) credentials — the script will use AWS credentials (env vars, ~/.aws/credentials, profiles, instance role, or AWS_BEARER_TOKEN_BEDROCK). Do not supply high-privilege or long-lived credentials; create a least-privilege IAM role/policy scoped only to Bedrock (invoke-model) and pref...详细分析 ▾
ℹ 用途与能力
Name/description say 'Nova Canvas via AWS Bedrock' and both SKILL.md and generate.py implement calls to Bedrock (boto3 or direct HTTPS with a bearer token). Requiring AWS credentials is appropriate for this purpose. However, the registry metadata lists no required environment variables or primary credential even though the implementation references AWS_BEARER_TOKEN_BEDROCK and standard AWS credential methods (env vars, ~/.aws/credentials, profiles, explicit keys). This mismatch is an omission in metadata (not necessarily malicious) but reduces transparency.
✓ 指令范围
SKILL.md and the script limit actions to building a Bedrock text->image request, invoking the model, decoding base64 images, and saving them locally. The instructions do not ask the agent to read arbitrary unrelated files; the only OS/config access is the standard AWS credential chain (env vars, ~/.aws/credentials, instance role) which is required to authenticate to Bedrock. Minor mismatch: SKILL.md lists an auto-detection order that differs slightly from detect_auth_method in the script.
ℹ 安装机制
There is no install spec (instruction-only), which is low risk for supply-chain downloads. However, the script imports boto3 if using the boto3 path and prints an error if it's missing (suggests pip install boto3). The absence of dependency declaration in metadata is a transparency shortcoming — user must ensure boto3 is installed in the runtime environment.
⚠ 凭证需求
The skill legitimately needs AWS credentials to call Bedrock and the script accepts multiple auth methods (bearer token via AWS_BEARER_TOKEN_BEDROCK, access key/secret, session token, profile, instance role). That is proportional to the task. Concern: the registry metadata does not declare these environment variables or a primary credential, so users may not realize the skill will access local AWS credentials. Also the bearer-token env var name suggests platform-managed tokens; confirm what will supply that token. Use of long-lived high-privilege keys would be risky — the skill itself will send requests only to AWS Bedrock endpoints, but it will have whatever access the provided credentials permit.
✓ 持久化与权限
always is false and the skill does not attempt to modify other skills, system-wide settings, or persist new credentials. It only writes output image files to the specified path and uses standard AWS credential resolution; no elevated persistence or privilege escalation is requested.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.1.02026/3/25
Support 8 AWS auth methods: Bearer token, IAM keys, profiles, credentials file, instance roles, SSO, session tokens, direct keys. Fixed region default to us-east-1.
● 无害
安装命令 点击复制
官方npx clawhub@latest install nova-canvas
镜像加速npx clawhub@latest install nova-canvas --registry https://cn.clawhub-mirror.com
技能文档
Generate images via Amazon Nova Canvas on AWS Bedrock.
AWS Auth Methods
| Method | How to Use |
|---|---|
| Bearer token | AWS_BEARER_TOKEN_BEDROCK env var or --bearer-token |
| Environment variables | Set AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY |
| Credentials file | Configure ~/.aws/credentials |
| Named profile | --profile my-profile or AWS_PROFILE env var |
| Direct keys | --access-key AKIA... --secret-key ... |
| Temporary credentials | Add --session-token with direct keys |
| IAM instance role | Auto-detected on EC2/ECS/Lambda |
| AWS SSO | Run aws sso login first |
Quick Start
python3 {baseDir}/scripts/generate.py "your prompt" -o output.png
python3 {baseDir}/scripts/generate.py "your prompt" -o output.png --profile work
python3 {baseDir}/scripts/generate.py "your prompt" -o output.png --access-key AKIA... --secret-key ...
Parameters
| Flag | Default | Description |
|---|---|---|
prompt | — | Text description of the image |
-o, --output | output.png | Output file path |
-W, --width | 1024 | Width 512-4096, divisible by 64 |
-H, --height | 1024 | Height 512-4096, divisible by 64 |
-n, --count | 1 | Number of images (1-5) |
-q, --quality | standard | standard or premium |
-s, --seed | random | Seed for reproducibility |
--negative | — | Negative prompt (what to avoid) |
--cfg | 8.0 | CFG scale 1.1-10.0 |
--region | us-east-1 | AWS region |
--profile | — | AWS named profile |
--access-key | — | AWS Access Key ID |
--secret-key | — | AWS Secret Access Key |
--session-token | — | AWS Session Token |
--bearer-token | — | Bearer token (overrides env) |
Workflow
- Craft a detailed English prompt (Nova Canvas performs best in English).
- Choose size: square 1024×1024, landscape 1280×768, portrait 768×1280.
- Run
generate.pywithtimeout=120. - Send resulting image to user via
messagetool.
Prompt Tips
- Detailed English prompts yield best results.
- Specify style: "oil painting", "watercolor", "3D render", "photograph", "anime".
- Use
--negative "blurry, low quality, text, watermark"to exclude unwanted elements.
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制