Image Gen
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This image-generation skill appears purpose-aligned, but it uses a required API key, calls an external image API, writes local output/config files, and references shared helper docs not included in the artifact set.
This skill looks reasonable for generating images, but install it only if you are comfortable providing a Labnana/ListenhHub API key and sending your image prompts and optional reference image URLs to the external provider. Check the referenced shared configuration/authentication files if available, and review the confirmation summary before approving each generation.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can use the configured provider API key to submit image-generation requests, which may expose prompts to the provider and may consume paid API quota.
The skill requires an API key for the image-generation provider. This is expected for the stated purpose, but it is still account credential access that users should recognize.
requires:\n env: ["LISTENHUB_API_KEY"]\n primaryEnv: "LISTENHUB_API_KEY"
Use a scoped API key if available, monitor provider usage, and avoid submitting sensitive prompts or private reference image URLs unless you intend to send them to the image provider.
The agent will send the selected prompt, image parameters, and optional reference image URLs to Labnana after confirmation.
The skill instructs the agent to make an external API request to generate images. This is central to the skill's purpose and is gated by explicit user confirmation.
Submit: `POST https://api.labnana.com/openapi/v1/images/generation` with timeout of 600s
Review the final confirmation summary before approving generation, especially when prompts or reference URLs contain private or sensitive content.
Some behavior may be governed by external shared guidance that is not visible in the supplied artifacts.
The skill depends on shared instruction files that are not present in the provided manifest. This is a review-context/provenance gap rather than evidence of malicious behavior.
Always read `shared/authentication.md` for API key and headers\nFollow `shared/common-patterns.md` for error handling\nAlways read config following `shared/config-pattern.md` before any interaction
Before installing, confirm that the referenced shared files come from a trusted source and do not add unexpected credential handling or network behavior.