apifox-image-gen

AdvisoryAudited by Static analysis on Apr 30, 2026.

Overview

No suspicious patterns detected.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Concern

ASI03: Identity and Privilege Abuse

What this means

Image generation may run under an unknown shared API account; the key could be revoked, abused by others, or create unclear accountability for usage and submitted prompts.

Why it was flagged

The skill embeds and uses a provider API credential instead of requiring a declared user-provided credential. This makes it unclear whose account, quota, billing, and access policy authorize requests.

Skill content

API_KEY = "sk-hJP0...E9859e" ... "Authorization": API_KEY

Recommendation

Remove the hardcoded secret, require the user to provide an API key through an environment variable or secure config, and declare that credential in metadata and documentation.

Note

ASI07: Insecure Inter-Agent Communication

What this means

Any private or sensitive information included in the image prompt could be sent to the external image-generation service.

Why it was flagged

The user prompt and generation parameters are transmitted to the external jyapi.AI-WX.CN provider. This is consistent with the skill purpose and is disclosed, but it is still a data boundary users should understand.

Skill content

BASE_URL = "https://jyapi.AI-WX.CN" ... "prompt": prompt ... urllib.request.urlopen(req, timeout=120)

Recommendation

Avoid putting secrets or sensitive personal information in prompts, and document the provider’s data handling expectations for users.