ClawHub

free quota text to image

Security checks across static analysis, malware telemetry, and agentic risk

Overview

The skill matches its text-to-image purpose, but it sends prompts to external providers and can use and locally persist provider token state for quota rotation.

Install only if you are comfortable sending prompts to the listed third-party providers. Configure only the provider tokens you want this skill to use, keep the token-status file private, and leave the OpenAI-compatible paid fallback disabled unless you explicitly want that route.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI03: Identity and Privilege Abuse
Low
What this means

Configured provider tokens may be used automatically for generation attempts and quota rotation, and token strings may appear in the local token-status file.

Why it was flagged

Provider API token values are used as persisted state keys when quota is exhausted, creating a local record tied to the configured credentials.

Skill content
exhausted[token] = True
        self._save_state()
Recommendation

Configure only tokens you intend this skill to use, prefer limited-scope or disposable provider tokens, and protect or periodically clear the token-status state file.

#
ASI07: Insecure Inter-Agent Communication
Low
What this means

Prompts, optimized prompts, and generation requests may be processed by external services such as Pollinations, Hugging Face, Gitee, ModelScope, A4F, or a configured OpenAI-compatible endpoint.

Why it was flagged

Prompt optimization sends the user's prompt text to an external text API before image generation, which is purpose-aligned but crosses a third-party data boundary.

Skill content
{"role": "user", "content": prompt},
...
return _chat_request(POLLINATIONS_API_URL, payload, headers={}, timeout=timeout, fallback=prompt)
Recommendation

Avoid confidential prompts unless you trust the selected providers; disable prompt optimization or force a specific provider when you need tighter data control.