Image Generator
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill appears to do what it says—generate one image through BigModel and send or return it—but it uses a Zhipu API key and runs a local Python script.
Install only if you are comfortable giving this skill access to a Zhipu/BigModel API key and sending image prompts to BigModel, then sending the generated image into the current chat. Use a dedicated API key, keep generated files in the workspace, and ensure the agent invokes the Python script with safe argument handling.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent will execute a local command and create an image file; poorly handled prompt quoting could cause command errors or unintended behavior in shell-style runners.
The skill explicitly asks the agent to run a local Python command with user-provided prompt and size values and to write an output image file. This is central to the image-generation purpose, but it should be invoked with safe argument handling rather than unsafe shell concatenation.
使用系统运行工具,在 `{baseDir}` 目录下执行命令 ... `python {baseDir}/scripts/generate.py "<用户提示词>" --model cogview --size "<宽x高>" ... --output "/root/.openclaw/workspace/images/cogview-{时间戳}.png"`Invoke the script with separated arguments or robust escaping, keep output paths under the workspace, and only send the generated image to the requesting conversation.
Your API key may be used to make paid or quota-consuming BigModel image-generation requests, and prompts are sent to the provider.
The script uses a Zhipu/BigModel API credential and attempts to locate the same credential in local TOOLS.md files if the environment variable is absent. This is expected for a BigModel integration, but it is account credential use.
key = os.environ.get("ZHIPU_API_KEY") ... Path.cwd() / "TOOLS.md" ... "Authorization": f"Bearer {api_key}"Use a dedicated low-scope or low-quota API key, prefer environment-variable injection over broad workspace files, and rotate the key if it is exposed.
It may be harder to verify the publisher or original source before trusting the skill with an API key.
The packaged metadata does not match the registry-facing owner/slug shown in the supplied metadata, and the source/homepage are not provided. This is a provenance note; the included code itself is visible and matches the stated purpose.
"ownerId": "Henry", "slug": "zhipu-image-skill", "version": "1.0.0"
Confirm that this is the intended package and publisher before installing or providing credentials.