Jimeng Image Skill Openclaw
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: jimeng-image-skill-openclaw Version: 0.1.0 The skill is a standard implementation for generating images using the Jimeng (Volcengine) API. The Python script (scripts/main.py) uses the official 'volcengine-python-sdk' to process requests and correctly handles API credentials via environment variables. There are no signs of malicious intent, data exfiltration, or dangerous command execution in either the code or the agent instructions (SKILL.md).
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill may consume API quota or incur provider-side usage under the user's account.
The skill requires Jimeng API credentials, while the registry metadata says there are no required environment variables or primary credential. The credential use is purpose-aligned, but users should know the skill can act through their Jimeng/Volcengine account.
putAccess Key and Secret Key via either environment variable: `Jimeng_Secret_Key` and ` Jimeng_Access_Key=...`
Use a dedicated, least-privilege Jimeng/Volcengine key if possible, avoid sharing it in prompts or logs, and remove or rotate it when no longer needed.
Installing an unpinned package can expose the environment to unexpected dependency changes.
The skill depends on an external Python SDK but provides no pinned version or install spec. This is a normal integration dependency for the stated purpose, but it leaves dependency provenance and version selection to the user environment.
- volcengine-python-sdk If not exits ,you need pip it.
Install the SDK from a trusted package source, consider pinning a known-good version, and review dependency changes before upgrading.
Text prompts and generation parameters are shared with the external image-generation provider.
The script sends the user's prompt and generation parameters to the Jimeng/Volcengine VisualService API and decodes the returned image. This is disclosed and expected, but it means prompt content leaves the local environment.
"prompt": prompt, ... binary_data_base64 = visual_service.cv_process(form)["data"]["binary_data_base64"][0]
Do not include secrets or highly sensitive personal information in prompts unless you are comfortable sending them to the provider.