🎭 Sideload Avatar Generator — 3D头像生成

Name: Sideload Avatar Generator — 3D头像生成
Rating: 2

v1.0.2

通过 Sideload.gg 用文字或图片一键生成 VRM/GLB/MML 格式 3D 头像，每次仅需 2 USDC，支持 Base 链任意 x402 钱包支付。

2· 754·0 当前·0 累计

by @directivecreator (DirectiveCreator)

AI模型访问云服务

下载技能包

最后更新

2026/4/22

安全扫描

VirusTotal

可疑

查看报告

OpenClaw

安全

medium confidence

NULL

评估建议

This package appears to implement exactly what it claims — a Node.js CLI that posts prompts/images to sideload.gg and pays via an x402 token — but take these precautions before running it: 1) Treat the x402 token as a secret. Avoid passing it on the command line if others share the machine or if you care about it appearing in process listings or shell history; prefer a safer mechanism (stdin, ephemeral file, or an environment variable in a secure session) if possible. 2) Only upload images you i...

详细分析 ▾

✓ 用途与能力

Name/description, required binary (node), packaged scripts, and network endpoints (sideload.gg) are consistent: the skill submits prompts/images, accepts an x402 payment token, polls for a job, and downloads results. No unrelated cloud credentials or binaries are requested.

ℹ 指令范围

Runtime instructions and included scripts only reference the Sideload API and result URLs. They read a local image file if you supply a path (and will base64-embed it into the request) and write downloaded outputs to an output directory. This is expected for an uploader/downloader, but it means any local file path you pass will be transmitted to the remote service.

✓ 安装机制

No remote install or arbitrary download is performed by the skill itself (it's instruction/code included in the bundle). It relies only on Node.js and npm (explicit npm install recommended). There are no suspicious external installers or obscure download URLs in the manifest.

⚠ 凭证需求

No environment variables or long-lived credentials are required. However, the tool expects an x402 payment token passed as a command-line argument (--x402-token). Passing secrets via CLI exposes them to other local users via process listings and may be recorded in shell history; additionally, uploading a local image path will transmit that file to sideload.gg (possible leakage of sensitive files if misused).

✓ 持久化与权限

The skill does not request persistent/always-on privileges, does not alter other skills or system-wide settings, and does not persist credentials. default autonomous invocation settings are unchanged.

安全有层次，运行前请审查代码。

运行时依赖

无特殊依赖

版本

latestv1.0.22026/2/15

NULL

● 可疑

安装命令

点击复制

官方npx clawhub@latest install sideload-avatar-generator

镜像加速npx clawhub@latest install sideload-avatar-generator --registry https://cn.longxiaskill.com

数据来源：ClawHub ↗ · 中文优化：龙虾技能库