IMA AI Image Generator & Photo Generator — Poster, Thumbnail, Logo, Art, Illustration, Product & Social Media Graphic Design
PassAudited by ClawScan on May 10, 2026.
Overview
This skill is coherently focused on IMA image generation, but it needs an IMA API key, can upload selected images, can install a Python dependency when asked, and stores local preferences/logs.
Before installing, confirm you trust the IMA provider and publisher, use a scoped/test IMA_API_KEY for first use, avoid custom --base-url values unless trusted, and only upload images you are comfortable sending to the service.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can authenticate to IMA services and may consume API quota or credits for generation/upload workflows.
The skill requires a provider API key and sends it to disclosed IMA service endpoints; this is expected for the stated image-generation purpose but is still sensitive account authority.
credentialNote: "IMA_API_KEY is required at runtime. It is sent to api.imastudio.com and, for local image uploads, to imapi.liveme.com."
Use a scoped or test IMA API key when trying the skill, keep it in the environment rather than files, and rotate it if exposed.
If a custom base URL is supplied incorrectly, API requests and credentials could go to an unintended endpoint.
The runtime uses the API key with a CLI-provided base URL. This can be useful for diagnostics/testing, but users should keep the default trusted endpoint unless they intentionally trust an override.
api_key = args.api_key or os.getenv("IMA_API_KEY") ... tree = get_product_list(args.base_url, api_key, args.task_type, language=args.language)Do not override --base-url unless you know and trust the destination.
Images chosen for transformation may be sent to IMA-related upload and CDN services.
For image-to-image with local files, selected images are uploaded to provider/CDN infrastructure. This is disclosed and purpose-aligned, but it means local image content leaves the device.
`imapi.liveme.com` | Upload-token request for local image inputs ... `*.aliyuncs.com` / `*.esxscloud.com` | Presigned binary upload + media CDN delivery
Only provide local images you are comfortable uploading to the IMA image-generation service.
Model preferences and operational logs may remain locally, and optional cross-skill references can affect workflow guidance.
The skill stores local preference/log state and may optionally read another skill's reference files. The paths are disclosed and scoped, but persistent context can influence later runs.
persistence:\n readWrite:\n - ~/.openclaw/memory/ima_prefs.json\n - ~/.openclaw/logs/ima_skills/\ninstructionScope:\n crossSkillReadOptional:\n - ~/.openclaw/skills/ima-knowledge-ai/references/*
Review or delete the disclosed ~/.openclaw memory/log paths if needed, and only rely on cross-skill references from skills you trust.
Running setup with --install may change the local Python environment by installing dependencies.
The setup script can install Python dependencies from the repository requirements file when the user runs the install path. This is user-directed and expected, not hidden, but dependency installation is a supply-chain-sensitive action.
subprocess.run([sys.executable, "-m", "pip", "install", "-r", str(REQUIREMENTS_PATH)], check=True)
Use a virtual environment if possible and inspect requirements.txt before running the install step.