ZenMux Image Generation
v1.5.0Generate images via ZenMux API (Pro/Elite). Supports Text-to-Image, Image-to-Image, and Multi-Image reference fusion.
⭐ 0· 1.1k·2 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name, description, SKILL.md, and scripts/generate.py consistently implement image generation against ZenMux's API (text->image, image->image, multi-image fusion). However the registry metadata lists no required environment variables while the SKILL.md and script both require ZENMUX_API_KEY; this metadata omission is an incoherence.
Instruction Scope
SKILL.md and the script stay within the stated purpose: they require an API key, optionally read local image files provided by the user, base64-encode them, and POST to the ZenMux endpoint. There are no instructions to read unrelated system files, other environment variables, or to exfiltrate data to unexpected endpoints.
Install Mechanism
There is no install specification (lowest risk for install-time behavior). The Python script uses the 'requests' package but the package.json does not declare any dependencies and there is no guidance to install Python dependencies; this is a usability/packaging omission rather than a direct code-level risk, but you should ensure dependencies are installed from trusted sources before running.
Credentials
The script requires a single API key (ZENMUX_API_KEY) which is proportionate to the task. The concern is that the skill registry metadata does not declare this required environment variable or a primary credential, so installing or enabling the skill could misrepresent the credentials it needs. The missing declaration reduces transparency and could lead users to provide a sensitive key without realizing which skill needs it.
Persistence & Privilege
The skill does not request persistent or elevated platform privileges (always:false). It does not modify other skills' configs or system-wide settings. Autonomous invocation is allowed (platform default) but is not combined here with other high-risk factors.
What to consider before installing
This skill appears to do what it claims, but take these precautions before installing or running it:
- Note the metadata omission: the SKILL.md and scripts require ZENMUX_API_KEY, but the registry metadata does not list any required env vars. Don't provide credentials until you confirm where they will be used and stored.
- Review the script yourself (it is short) and verify the outbound endpoint (https://zenmux.ai/api/vertex-ai). If you don't trust that domain or vendor, do not supply keys or run the script.
- Run the script in an isolated environment (container or VM) and ensure Python dependencies (requests) are installed from trusted sources (pip from PyPI) before execution.
- Only use API keys with least privilege and be mindful of sensitive input images (e.g., minors, IDs); multi-image fusion could combine private images in unexpected ways.
- Contact the skill publisher or maintainers to ask them to update registry metadata to declare ZENMUX_API_KEY as a required credential and to provide installation/dependency instructions.
If you need lower risk: ask for a version that includes a proper install spec (dependencies declared) and correct required-env metadata before enabling.Like a lobster shell, security has layers — review code before you run it.
latestvk9708sjhra4yz4bce8k02024r1811ntb
License
MIT-0
Free to use, modify, and redistribute. No attribution required.