qwencloud-image-generation
ReviewAudited by ClawScan on May 10, 2026.
Overview
The image-generation behavior mostly matches the stated purpose, but a bundled update helper can prompt agents to install or update extra QwenCloud skills from an unpinned remote source, so it deserves review before use.
Install only if you are comfortable using a QwenCloud API key and uploading selected images to QwenCloud. Do not let the agent run update/install commands from the helper automatically; review and approve any `npx skills add` command or persistent agent-config change yourself.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent or user follows the prompt without review, it could install or update additional skill code beyond the image-generation skill.
The bundled helper can emit agent-readable prompts to install an additional skill from `QwenCloud/qwencloud-ai` using `-y`; this is not central to image generation and is not pinned to a reviewed version.
INSTALL_CMD = f"npx skills add {_SKILLS_REPO} --skill qwencloud-update-check -y" ... "[ACTION_REQUIRED] qwencloud-update-check skill is not installed. Install: {INSTALL_CMD}"Treat update/install messages as advisory only; inspect the referenced repository and require explicit user approval before running any `npx skills add` command, preferably pinned to a trusted version.
Using the skill may spend QwenCloud account credits, especially for multi-image or sequential outputs.
The skill uses a paid image-generation API, and some documented defaults generate multiple billable images.
`n` | 4 | Number of images to generate (1–4). **Billed per image.** Set to 1 for testing.
Ask the agent to set `n=1` for tests and confirm before batch, sequential, or high-resolution generation.
Anyone with the key could use the associated QwenCloud account and potentially incur usage charges.
The skill needs a provider API key that can access the user's QwenCloud account; this is expected for the integration but sensitive.
Scripts require a **standard QwenCloud API key** (`sk-...`).
Store the key only in environment variables or a protected `.env` file, never paste it into chat, and rotate it if exposed.
Reference images selected for editing can leave the local machine and be processed by QwenCloud/provider storage.
For image editing, local reference images may be uploaded to provider-managed storage before the generation request.
def _resolve_file_url(value: str, api_key: str, model: str) -> str:
"""Resolve a local file path or URL, uploading to OSS if needed."""Only provide image paths or URLs you intend to upload to QwenCloud, and avoid private or regulated images unless that use is acceptable.
Approved config changes can affect how future agent sessions select and load skills.
The compatibility guide can create persistent agent configuration entries so future agents auto-load QwenCloud skills; it does require user approval.
**Ask the user before modifying any file.** Then append to their config:
Review any proposed `CLAUDE.md` or `AGENTS.md` changes before approving, and remove the block if you no longer want automatic QwenCloud skill loading.