Jimeng Image Skill Openclaw
ReviewAudited by ClawScan on May 10, 2026.
Overview
Prompt-injection indicators were detected in the submitted artifacts (unicode-control-chars); human review is required before treating this skill as clean.
Install only if you are comfortable providing Jimeng/Volcengine API credentials and sending image prompts to that provider. Pin or verify the volcengine-python-sdk dependency, keep API keys out of chats and logs, and choose output paths carefully. No artifact evidence indicates malicious behavior. ClawScan detected prompt-injection indicators (unicode-control-chars), so this skill requires review even though the model response was benign.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill may consume API quota or incur provider-side usage under the user's account.
The skill requires Jimeng API credentials, while the registry metadata says there are no required environment variables or primary credential. The credential use is purpose-aligned, but users should know the skill can act through their Jimeng/Volcengine account.
putAccess Key and Secret Key via either environment variable: `Jimeng_Secret_Key` and ` Jimeng_Access_Key=...`
Use a dedicated, least-privilege Jimeng/Volcengine key if possible, avoid sharing it in prompts or logs, and remove or rotate it when no longer needed.
Installing an unpinned package can expose the environment to unexpected dependency changes.
The skill depends on an external Python SDK but provides no pinned version or install spec. This is a normal integration dependency for the stated purpose, but it leaves dependency provenance and version selection to the user environment.
- volcengine-python-sdk If not exits ,you need pip it.
Install the SDK from a trusted package source, consider pinning a known-good version, and review dependency changes before upgrading.
Text prompts and generation parameters are shared with the external image-generation provider.
The script sends the user's prompt and generation parameters to the Jimeng/Volcengine VisualService API and decodes the returned image. This is disclosed and expected, but it means prompt content leaves the local environment.
"prompt": prompt, ... binary_data_base64 = visual_service.cv_process(form)["data"]["binary_data_base64"][0]
Do not include secrets or highly sensitive personal information in prompts unless you are comfortable sending them to the provider.