Zhipu Image Generator
PassAudited by ClawScan on May 1, 2026.
Overview
This skill appears to do what it says: use a Zhipu API key to generate images from prompts and save them locally.
Before installing, confirm you are comfortable sending image prompts to Zhipu AI and using your Zhipu API quota. Store the API key securely, and prefer ordinary prompt text because quotes or special characters may not be escaped cleanly by the current shell script.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill can spend quota or incur charges on the user's Zhipu account.
The script uses the user's Zhipu API key as a bearer credential to make image-generation API calls. This is expected for the stated integration and no credential leakage is shown.
API_KEY="${ZHIPU_API_KEY:-}" ... -H "Authorization: Bearer $API_KEY"Use a dedicated API key if possible, monitor Zhipu usage, and avoid sharing the .env file or terminal output containing account details.
Prompts are sent to Zhipu's service, and malformed prompt text with quotes or control characters may cause the API request to fail or behave unexpectedly.
The skill uses curl to send user-provided prompt text to the external API and download the returned image. This is central to the skill's purpose, though the prompt is interpolated into JSON without robust JSON escaping.
RESPONSE=$(curl -s -X POST "$API_URL" ... "\"prompt\": \"$PROMPT\"" ...); curl -s -o "$OUTPUT_FILE" "$IMAGE_URL"
Treat prompts as data sent to a third-party provider, avoid sensitive prompt content, and consider updating the script to build JSON with jq or another proper JSON encoder.