ClawHub
Back to skill
v1.1.0

pic-gen

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:24 AM.

Analysis

This skill’s image-generation behavior is coherent and disclosed, but users should understand it stores and uses API keys and depends on external Python packages.

GuidanceThis looks like a normal image-generation helper. Before installing, be comfortable with giving it API keys for the image providers you want to use, understand that those keys may be saved in config/models.yaml, and avoid sharing that file. Use a separate environment for the Python dependencies and set provider spending limits where possible.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
requirements.txt
requests>=2.28.0
pyyaml>=6.0
banana-dev>=1.0.0

The skill depends on external Python packages with lower-bound version constraints rather than exact pinned versions. These packages are relevant to the skill, but dependency provenance and version drift are worth noticing.

User impactInstalling dependencies may pull newer package versions than the author tested.
RecommendationInstall dependencies in an isolated environment and consider pinning known-good versions if you rely on this skill for regular use.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
SKILL.md
用户:「sk-xxxxxxxx」 ... Bot 写入 config/models.yaml,并回复: 「✅ Key 已保存!正在生成…」

The skill explicitly asks users to provide provider API keys and saves them locally for image generation. This is expected for the stated purpose, but the keys can authorize account usage and possible provider costs.

User impactYour OpenAI, DashScope, or Banana API key may be stored in the skill’s configuration and used to generate images.
RecommendationUse provider keys with the least necessary permissions or spending limits, prefer environment variables when possible, and do not share config/models.yaml after adding real keys.