SMTools Image Generation Skill
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a coherent image-generation skill, with expected cautions around API keys, external AI providers, local setup, and saved image files.
Install only if you are comfortable running its setup script, installing its Python dependency, using provider API keys, and sending prompts or selected images to OpenRouter, Kie.ai, or YandexART. Keep API keys scoped and revocable, avoid sensitive images unless necessary, and save outputs to a safe directory.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
When invoked, the skill can use your configured image-provider accounts to submit generation requests.
The skill explicitly uses delegated provider credentials for image-generation services. This is disclosed and purpose-aligned, but those credentials can authorize account usage and billing.
OpenRouter ... Requires `OPENROUTER_API_KEY`; Kie.ai ... Requires `KIE_API_KEY`; YandexART ... Requires `YANDEX_IAM_TOKEN` and `YANDEX_FOLDER_ID`.
Use provider-specific, revocable API keys with limited permissions or spend limits where available, and keep any .env file private.
Private prompts or images used for editing may be transmitted to OpenRouter or the selected provider.
For image editing, a local input image is encoded and sent in a request to the external provider. This is expected for provider-based editing, but it means image contents and prompts may leave the local machine.
image_b64 = self._encode_image(input_image) ... requests.post(API_URL, headers=headers, json=payload, timeout=120)
Avoid using sensitive images or confidential prompts unless you are comfortable with the selected provider's data handling terms.
Running setup later could install a different compatible version of the Requests package.
The setup script installs dependencies from this requirements file, and the version range is not fully pinned. This is common for Python tools but allows future dependency versions to be installed.
requests>=2.28.0
Run setup only for packages you trust; for stricter reproducibility, prefer pinned and hashed dependencies.
Generated images are saved locally, either in the default output directory or in a custom path if supplied.
The provider writes generated image bytes to the requested output path. This is expected for an image-generation tool, but a poorly chosen custom path could overwrite a user-accessible file.
output_path = Path(output_path) ... output_path.parent.mkdir(parents=True, exist_ok=True) ... open(output_path, "wb")
Use the default output directory or specify a safe output path when asking the agent to save images.