voice-text-to-meme
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill’s behavior matches its stated purpose of generating one meme image from user-provided text, with normal cautions about using an external image API, an API key, dependencies, and local file output.
This appears safe for its stated purpose. Before installing, make sure you trust the configured image API provider, use a dedicated API key, avoid sending sensitive text, and save generated images only to a safe output folder.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You must provide an API token that may authorize usage or billing with the image-model provider.
The skill requires a model API token, which is expected for image generation, but users should recognize that this grants access to the configured provider and is under-declared in the registry metadata.
`MEME_MODEL_API_KEY`:必填,图片模型 API token
Use a dedicated, least-privilege API key and rotate or revoke it if you stop using the skill.
Any text you use to make a meme may be sent to the configured model service.
The selected user text is incorporated into a prompt and sent to the configured external image API; this is purpose-aligned and disclosed, but it is still an external data flow.
DEFAULT_BASE_URL = os.getenv("MEME_MODEL_BASE_URL", "https://models.audiozen.cn/v1") ... client.images.generate(... prompt=prompt ...)Avoid sending private, confidential, or regulated text unless you trust the configured provider and its data handling.
A future dependency version could behave differently from the version the author tested.
The dependencies are common and appropriate for this skill, but they are specified as lower bounds rather than exact pinned versions.
openai>=1.0.0 requests>=2.31.0
Install dependencies from a trusted package index and consider using a locked environment if reproducibility matters.
Generated images will be saved locally, and a custom output path could replace an existing file.
The script writes the generated image to a default or user-specified path, which is expected, but a chosen path could overwrite an existing file if the agent has permission.
parser.add_argument("--output", default="", help="输出文件路径,默认自动生成 .jpg") ... output_path.write_bytes(content)Use a dedicated output directory such as meme_outputs and avoid pointing --output at important files.