Qwen Image Plus Sophnet
PassAudited by ClawScan on May 1, 2026.
Overview
This skill appears to do what it says—call Sophnet's image generation API and return image URLs—but users should notice that it requires a Sophnet API key and sends prompts to an external provider.
This skill is reasonable to install if you intend to use Sophnet Qwen-Image-Plus. Before using it, make sure you trust the Sophnet service, provide only a properly scoped API key, avoid sensitive prompt content, and be aware that the registry metadata does not fully declare the script's curl/API-key requirements.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your Sophnet API key will be used to create image-generation jobs, which may consume quota or incur provider-side usage.
The script requires and uses a Sophnet bearer API key to create and poll image-generation tasks, which is purpose-aligned but gives the skill delegated account access to that API.
API_KEY="${SOPHNET_API_KEY:-}" ... -H "Authorization: Bearer ${API_KEY}"Use a Sophnet key scoped appropriately for image generation, prefer the SOPHNET_API_KEY environment variable over command-line key passing, and rotate the key if exposed.
Prompts, negative prompts, and generation parameters are shared with Sophnet, and returned image URLs may be accessible according to the provider's URL policy.
The script sends the user prompt and parameters to an external Sophnet API endpoint and later retrieves result URLs, which is disclosed and central to the skill's purpose.
curl -sS -X POST "https://www.sophnet.com/api/open-apis/projects/easyllms/imagegenerator/task" ... -d "${payload}"Do not include private or sensitive information in prompts unless you are comfortable sharing it with Sophnet, and review Sophnet's data handling terms.
A user may not learn from registry metadata alone that the skill runs a bash script, needs curl, and uses a Sophnet API key.
The skill has limited provenance metadata and does not declare the practical dependency and credential that the included script uses, although the script itself is present and its behavior is straightforward.
Source: unknown; Homepage: none; Required binaries (all must exist): none; Env var declarations: none; Primary credential: none
Review the included script before use and update metadata to declare curl, SOPHNET_API_KEY, and the Sophnet API integration.