Back to skill
Skillv1.1.0
ClawScan security
imgforge — Free AI Image Generation · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 8, 2026, 4:39 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions match its stated purpose (calling ModelScope's Z-Image-Turbo API), and the single required secret (MODELSCOPE_API_KEY) is appropriate for that purpose.
- Guidance
- This skill appears to do what it says: it uses your MODELSCOPE_API_KEY to call ModelScope's image-generation API and saves the returned image. Before installing, verify you trust ModelScope (api-inference.modelscope.ai) and the GitHub source (homepage points to a repo). Be aware that creating the ModelScope setup may require binding an Alibaba Cloud account (phone verification and a payment method on file). Treat your MODELSCOPE_API_KEY as a secret (it will be transmitted in Authorization headers to ModelScope) — use a dedicated token you can revoke if needed. If you want extra caution, review the included imgforge.py (simple, stdlib HTTP code) and consider running it locally rather than granting any automated agents persistent access.
Review Dimensions
- Purpose & Capability
- okName/description, README, SKILL.md and imgforge.py all describe a text→image client that calls ModelScope's async image-generation API; required binary (python3) and required env var (MODELSCOPE_API_KEY) are consistent with that purpose.
- Instruction Scope
- okRuntime instructions only invoke the included python script and describe how to obtain/set MODELSCOPE_API_KEY. The script contacts api-inference.modelscope.ai, downloads the returned image URL and saves it locally. The instructions do not request unrelated files, credentials, or external endpoints.
- Install Mechanism
- okNo install spec; code is bundled as a small Python script and optional Pillow dependency. No arbitrary downloads or extract-from-URL steps are present in the package metadata.
- Credentials
- noteOnly MODELSCOPE_API_KEY is required, which is appropriate. Note: README and SKILL.md instruct users to bind an Alibaba Cloud account (phone verification and a payment method are required by Alibaba even if ModelScope usage is free); the bearer token will be sent to modelscope.ai (expected) so treat it as sensitive.
- Persistence & Privilege
- okSkill is not always-enabled and is user-invocable. disable-model-invocation is false (normal platform default); the skill does not modify other skills or system-wide settings.