Stability Ai
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a straightforward Stability AI image-generation skill, with user-noticeable handling of an API key, external prompt submission, local metadata, dependencies, and automatic cleanup of older generated outputs.
Before installing, make sure you are comfortable providing a Stability API key, sending prompts to Stability AI or a trusted configured endpoint, and having prompt metadata saved locally. Keep important generated images outside the auto-cleanup folder and review dependency installation in a trusted Python environment.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your Stability API key can authorize paid image-generation requests, and a custom API_HOST would receive that bearer token.
The skill reads a Stability API key and sends it as a bearer token to the configured API host. This is expected for Stability image generation, but it is sensitive account authority and is under-declared in the registry metadata.
API_HOST = os.getenv('API_HOST', 'https://api.stability.ai')
API_KEY = os.getenv("STABILITY_API_KEY")
...
"Authorization": f"Bearer {API_KEY}"Use a dedicated or limited Stability API key, keep API_HOST on the official endpoint unless you trust the alternative, and confirm usage costs before generating many images.
Private or sensitive details included in prompts may remain in local metadata files after generation.
The skill stores the prompt and negative prompt in local JSON metadata for each generated image. This is disclosed and useful, but it can preserve sensitive prompt text on disk.
"prompt": prompt, "negative_prompt": negative_prompt, ... metadata_path = _save_metadata(metadata, output_dir, base_filename)
Avoid putting secrets or private personal data in image prompts, and review or delete metadata files when needed.
The exact package versions installed later may differ from the versions reviewed today.
The dependency list is unpinned, and SKILL.md says the script handles dependencies automatically on first run. These packages are purpose-aligned, but unpinned first-run installs can vary over time.
requests python-dotenv pillow
Install from a trusted Python environment and consider pinning or reviewing package versions before first use.
Older generated images and metadata may disappear if you rely on the skill's output directory as long-term storage.
The skill discloses automatic deletion of older generated outputs. This is scoped and purpose-aligned, but users should know generated files may be removed without an additional prompt.
Automatically keeps the last 20 generated images. Older files and their metadata are removed to save disk space.
Move important generated images to another folder or adjust cleanup behavior if you need to keep more than the last 20 outputs.