Skillv1.0.0

ClawScan security

BizyAir 图生图（Image-to-Image）助手 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 13, 2026, 2:47 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to implement an image-to-image workflow as described, but there are inconsistencies between the declared metadata and what the code and instructions actually require (missing declared env vars and dependencies), and it will upload local images to external servers — review before installing or running.
Guidance: This skill implements the promised image-to-image flow, but you should be cautious before installing or running it: (1) The package metadata omitted required items — the scripts expect a BIZYAIR_API_KEY environment variable and the alibabacloud_oss_v2 Python library; confirm and provide those only if you trust the service. (2) Running the skill will upload your local images to BizyAir and Alibaba OSS (external servers). Do not use sensitive or private images unless you trust BizyAir and understand their data retention/privacy policy. (3) Review the scripts (scripts/i2i_workflow.py and scripts/api.py) yourself — they print and transmit prompt content and perform network calls with your API key. (4) If you need higher assurance, ask the author to correct the registry metadata (declare BIZYAIR_API_KEY and the Python dependency) and provide documentation on token scopes and data handling before proceeding.

Review Dimensions

Purpose & Capability: concernThe skill's name and description (image-to-image) match the code and SKILL.md: scripts upload a local image and create an I2I task on BizyAir. However the registry metadata lists no required environment variables or primary credential, while both SKILL.md and the code require BIZYAIR_API_KEY; this mismatch between declared metadata and actual needs is inconsistent and should be clarified.
Instruction Scope: noteSKILL.md and the scripts instruct the agent to read local image files and upload them to BizyAir (via a token + OSS upload), then create and poll tasks. That behavior is in-scope for an image-to-image skill, but it does mean local files are transmitted to an external service (BizyAir and Alibaba OSS). The instructions do not ask for unrelated files or system credentials beyond the API key.
Install Mechanism: concernThere is no install spec in the registry and SKILL.md only mentions python3, but the code depends on the alibabacloud_oss_v2 Python package (it exits if missing). The missing declaration of this dependency is an inconsistency (user may be surprised by required pip install). No remote download/install URLs are present, which lowers install risk, but dependency documentation is incomplete.
Credentials: concernThe code and SKILL.md require a BIZYAIR_API_KEY environment variable (used as a Bearer token) which is appropriate for calling the BizyAir API. However the registry metadata lists no required env vars — an omission. The code also receives temporary OSS access_key/secret/security_token from the service to perform uploads; those are short-lived and provided by the remote API (expected for this flow).
Persistence & Privilege: okThe skill is not always-on and is user-invocable (defaults). It does not request persistent presence or modify other skills or system-wide config. It runs as a standalone script invoked by the agent or user.