critical
suspicious.exposed_secret_literal
- Location
- references/api_reference.md:338
- Finding
- File appears to expose a hardcoded API secret or token.
modelscope-image
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.exposed_secret_literal
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
The visible code is coherent, but this review cannot fully verify portions of the script that were not included in the prompt.
Why it was flagged
The executable script content is not fully visible in the supplied artifact, limiting review of the unseen tail of the file.
Skill content
"truncated": true
Recommendation
If available, inspect the complete scripts/gen.py from the installed package or trusted registry before using it with credentials.
What this means
Anyone using the skill must provide a ModelScope API token, which may consume account quota or grant access according to that token's permissions.
Why it was flagged
The script uses the provided ModelScope API key as a bearer token when calling the ModelScope API, which is expected for this integration.
Skill content
"Authorization": f"Bearer {api_key}"Recommendation
Use a dedicated or least-privileged ModelScope token if possible, keep it out of chat/logs, and prefer the MODELSCOPE_API_KEY environment variable over passing the key directly on the command line.
What this means
Text prompts and generation parameters are shared with ModelScope to generate the requested images.
Why it was flagged
The script sends the model, prompt, image count, and size to ModelScope's external image-generation endpoint.
Skill content
url = "https://api-inference.modelscope.cn/v1/images/generations"
Recommendation
Do not submit confidential or sensitive prompt content unless you are comfortable sharing it with ModelScope under its terms and privacy practices.