AI Image Generator

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says—generate images through YouMind—but it requires a YouMind API key, uses an external CLI, may run short background polling, and saves results to a YouMind board.

Install this only if you trust YouMind and its CLI. Configure the API key outside chat, verify the npm package before global installation, avoid sensitive image prompts, and remember that generated images are saved to your YouMind board.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

ASI03: Identity and Privilege Abuse

Low

What this means

The skill can use the configured YouMind account to generate and save images.

Why it was flagged

The skill requires a YouMind API key so the agent can call the user's YouMind account through the CLI.

Skill content

primaryEnv: YOUMIND_API_KEY ... requires: ... env: ["YOUMIND_API_KEY"]

Recommendation

Use an API key you trust for this purpose, configure it outside chat, and revoke or rotate it if you stop using the skill.

ASI04: Agentic Supply Chain Vulnerabilities

Low

What this means

Installing the CLI changes the local/global npm environment and depends on the npm package being trustworthy.

Why it was flagged

The setup path installs an external npm CLI globally and does not pin a specific package version.

Skill content

npm install -g @youmind-ai/cli

Recommendation

Verify the npm package and publisher before installing, and consider pinning or reviewing the CLI version in managed environments.

ASI05: Unexpected Code Execution

Low

What this means

The agent may run local commands as part of the image-generation workflow.

Why it was flagged

The skill allows local command execution for the YouMind CLI and Node helpers. This is mostly purpose-aligned, but `node -e *` is broader than the visible extraction script requires.

Skill content

allowed-tools:\n  - Bash(youmind *)\n  - Bash(npm install -g @youmind-ai/cli)\n  - Bash(node -e *)\n  - Bash(node scripts/*)

Recommendation

Limit use to the documented YouMind commands and `scripts/extract-images.js`; avoid arbitrary `node -e` execution unless the user explicitly approves.

ASI06: Memory and Context Poisoning

Low

What this means

Prompts and generated image results may become part of the user's YouMind workspace.

Why it was flagged

The skill persists generated outputs in the user's YouMind board rather than keeping them only in the local chat.

Skill content

Generated images are saved to your YouMind board automatically.

Recommendation

Avoid sensitive prompts or private content unless you are comfortable storing the result in YouMind.

ASI10: Rogue Agents

Low

What this means

The agent may continue checking image status briefly after returning control to the main chat.

Why it was flagged

The skill may delegate polling to a background task, but the visible instructions bound it to the image-generation chat and a 60-second timeout.

Skill content

spawn a subagent/background task for the polling work. Return control to the user immediately ... Timeout: 60 seconds

Recommendation

Use background polling only for the documented chat status check, keep the timeout, and notify the user when complete.