OllamaDiffuser Image generation
AdvisoryAudited by Static analysis on May 11, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing these packages can run third-party code and add dependencies to the local Python environment.
The skill recommends installing unpinned third-party Python packages. This is expected for a local image-generation tool, but users are relying on external package code not included in the reviewed artifacts.
`pip install ollamadiffuser`; `pip install "ollamadiffuser[full]"`; `pip install "ollamadiffuser[mcp]"`; `CMAKE_ARGS="-DSD_METAL=ON" pip install stable-diffusion-cpp-python`
Install in a virtual environment, verify the package source, consider pinning versions, and approve package installs before letting the agent run them.
A persisted token could be exposed if shell config files are shared, backed up insecurely, or read by other local processes.
The skill documents use of a Hugging Face token for gated models and suggests persisting it in shell startup files. This is purpose-aligned, but it makes the token available to future shell sessions and local processes.
`export HF_TOKEN=your_token_here` (Add to `.bashrc` or `.zshrc` for persistence).
Use a least-privilege Hugging Face token, avoid persisting it unless needed, keep shell config files private, and revoke the token if it is exposed.