apifox-image-gen
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill appears to generate images as advertised, but it embeds an undeclared API key and sends prompts to an external provider, so it should be reviewed before use.
Use this skill only if you are comfortable sending prompts to jyapi.AI-WX.CN. Before relying on it, replace the embedded API key with your own securely configured key and avoid including sensitive information in prompts.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Image generation may run under an unknown shared API account; the key could be revoked, abused by others, or create unclear accountability for usage and submitted prompts.
The skill embeds and uses a provider API credential instead of requiring a declared user-provided credential. This makes it unclear whose account, quota, billing, and access policy authorize requests.
API_KEY = "sk-hJP0...E9859e" ... "Authorization": API_KEY
Remove the hardcoded secret, require the user to provide an API key through an environment variable or secure config, and declare that credential in metadata and documentation.
Any private or sensitive information included in the image prompt could be sent to the external image-generation service.
The user prompt and generation parameters are transmitted to the external jyapi.AI-WX.CN provider. This is consistent with the skill purpose and is disclosed, but it is still a data boundary users should understand.
BASE_URL = "https://jyapi.AI-WX.CN" ... "prompt": prompt ... urllib.request.urlopen(req, timeout=120)
Avoid putting secrets or sensitive personal information in prompts, and document the provider’s data handling expectations for users.