GPT-image-2 图片生成与编辑 诗云API
PassAudited by ClawScan on May 10, 2026.
Overview
The skill is a coherent ShiyunApi image-generation/editing integration, with expected cautions around API-key persistence and uploading selected images to the provider.
Install this only if you trust ShiyunApi with the prompts and images you provide. Use a revocable API key, be aware that requests may consume paid quota, and decide whether you want the key saved persistently in your user environment.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The install metadata may make the skill look like it needs less setup or credential access than it actually uses.
The registry contract does not declare Python/script execution or the Shiyun API key, even though the SKILL.md and scripts disclose those needs. This is an under-declaration note rather than hidden behavior.
Required binaries (all must exist): none ... Env var declarations: none ... Primary credential: none
Before installing, expect to run the included Python scripts and provide a ShiyunApi key; maintainers should declare the runtime and credential requirements in metadata.
Anyone or any process that can read that shell profile or environment may be able to use the ShiyunApi key and consume account quota.
The helper can store the ShiyunApi key persistently in a user shell profile; this is expected for the integration, but it is sensitive account access.
target = home / ".bashrc"
line = f"export {ENV_NAME}={shell_quote_single(api_key)}"
upsert_line(target, f"export {ENV_NAME}=", line)Use a scoped/revocable ShiyunApi key, prefer stdin over command-line arguments, and consider process-only storage if you do not want the key saved persistently.
Images, prompts, and related request data may leave the local machine and be processed by ShiyunApi.
For editing, the script uploads selected image files to ShiyunApi with the user's bearer token. This is the stated purpose, but it sends potentially private images to an external provider.
API_URL = "https://shiyunapi.com/v1/images/edits" ... chunks.append(multipart_file("image", path, boundary)) ... "Authorization": f"Bearer {api_key}"Only upload images you are comfortable sending to ShiyunApi, and review the provider's privacy and retention terms for sensitive or personal content.