Back to skill
Skillv1.0.0
ClawScan security
WuyinKeji GPT-Image-2 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 22, 2026, 10:46 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files and runtime instructions are coherent with its stated purpose (wrapping the WuyinKeji GPT-Image-2 async image API); nothing requests unrelated credentials, installs, or system access.
- Guidance
- This skill appears to do exactly what it says: call WuyinKeji's async image API and download results. Before installing or using it: (1) do not paste any real API keys into chat; supply your key only via the script argument or a secure input method; (2) verify that the example API key in SKILL.md is not an active/secret key — treat it as suspect until confirmed; (3) confirm you trust the domain https://api.wuyinkeji.com and the provider's terms/privacy if you will send sensitive reference images; (4) review network egress policies if your environment restricts outbound calls. If you need higher assurance, ask the skill author for provenance of the example key or a publisher/homepage link.
Review Dimensions
- Purpose & Capability
- okName/description, SKILL.md, and the provided Bash script all align: they submit an async image-generation task to api.wuyinkeji.com, poll for results, and download the image. No unrelated services, binaries, or credentials are requested.
- Instruction Scope
- noteInstructions stay within the image-generation flow (submit → poll → download). Minor oddity: the SKILL.md explicitly says to use the skill when the user mentions a specific API key string or the domain; and it includes an example API key literal. That is a documentation/activation hint rather than functional scope creep, but the presence of a literal key in docs is worth checking (could be an example, a leaked/test key, or sensitive).
- Install Mechanism
- okNo install spec; this is instruction-only plus a small helper script. Nothing is downloaded or written during install. Low install risk.
- Credentials
- noteThe skill declares no required env vars or primary credential; the script accepts an API key as a CLI argument, which is appropriate. However, the SKILL.md contains a literal API key example (DG97rZEqdfTvNTMGG5iFuHUVvm). Verify whether that key is a harmless example or an active secret before using it.
- Persistence & Privilege
- okSkill is not always-enabled and does not request system-wide persistence or modify other skills. Default autonomous invocation is unchanged and appropriate for a user-invoked integration.