phoenixclaw image gen
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a straightforward OpenRouter image-generation skill, but users should understand that it uses their OpenRouter API key and sends prompts or selected input images to OpenRouter.
Before installing, make sure you are comfortable providing an OpenRouter API key and sending prompts or selected image files to OpenRouter. Consider using a dedicated API key with spending limits, and avoid supplying confidential images or prompts.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill can consume OpenRouter credits or incur charges under the configured API key.
The skill authenticates to OpenRouter with the user's API key, which is necessary for the stated image-generation purpose but gives the skill access to the user's OpenRouter account quota/billing.
'Authorization': `Bearer ${apiKey}`Use a dedicated OpenRouter key if possible, monitor usage, and revoke or rotate the key if you stop using the skill.
Prompts and selected input images are shared with OpenRouter and its routed model providers.
The adapter sends generation requests to OpenRouter. The request payload includes the prompt and, for image-to-image mode, a base64-encoded input image.
const OPENROUTER_API_URL = 'https://openrouter.ai/api/v1/chat/completions';
Do not use private, sensitive, or confidential prompts/images unless you are comfortable sending them to OpenRouter under its terms and data-handling policies.
Invoking the wrapper runs local Node.js code from the skill and passes through the current environment, including configured credentials.
The CLI wrapper launches the skill's own generate.js script. This is expected for the documented command-line workflow and does not show shell-string execution.
const child = spawn('node', [coreScript, ...cliArgs], { stdio: 'inherit', env: process.env });Install only if you are comfortable running the included Node.js scripts and keeping the OpenRouter key available to them.