九马免费文生图

ReviewAudited by ClawScan on May 1, 2026.

Overview

The skill matches its stated image-generation purpose, but users should know it sends prompts to Jiuma’s API and can store a Jiuma API key locally.

This skill appears appropriate for generating images through Jiuma AI. Before installing, be comfortable with sending image prompts to Jiuma, and if you use the login flow, protect the saved API key file or delete it when you no longer need it.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium

#ASI03: Identity and Privilege Abuse

What this means

Anyone or any local process with access to that file may be able to use the saved Jiuma API key and account quota.

Why it was flagged

The skill can persist a Jiuma API key locally and later use it as the X-Secret-Key header. This is expected for the optional login flow, but it is credential material that remains on disk.

Skill content

JIUMA_API_KEY_SAVE_PATH = f"{JIUMA_API_KEY_SAVE_DIR}/jiuma_api_key"
...
def save_jiuma_api_key(api_key):
    with open(JIUMA_API_KEY_SAVE_PATH, "w") as f:
        f.write(api_key)

Recommendation

Only complete the login flow if needed, keep the workspace file private, consider removing the saved key when finished, and revoke or rotate the key if it may have been exposed.

Low

#ASI07: Insecure Inter-Agent Communication

What this means

Private or sensitive text included in prompts may be processed by Jiuma, and generated image links are returned from Jiuma-hosted infrastructure.

Why it was flagged

The user’s image prompt and requested dimensions are sent to the external Jiuma API, which is necessary for the stated image-generation function.

Skill content

SUBMIT_API = "https://api.jiuma.com/api/textImage/add"
...
data, message = jiuma_request(SUBMIT_API, {"text": text, "width": width, "height": height}, headers=headers)

Recommendation

Avoid putting secrets, sensitive personal data, or confidential business information in prompts unless you are comfortable sending it to Jiuma’s service.

Info

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

Users may need to install or rely on a local requests package version, which can vary by environment.

Why it was flagged

The skill documents a manual, unpinned dependency installation. The dependency is expected for this Python HTTP client, but it is outside the provided install metadata.

Skill content

- requests库 (`pip install requests`)

Recommendation

Install dependencies from a trusted package source, preferably in a virtual environment, and pin package versions if reproducibility matters.