Higgsfield Product Photoshoot
AdvisoryAudited by Static analysis on May 4, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the CLI is not installed, remote code could be executed on the user’s machine without a pinned version or reviewed package boundary.
The skill has no install spec, but instructs the agent to fetch and execute an unpinned script from the GitHub main branch.
If `higgsfield` is not on `$PATH`, install it: `curl -fsSL https://raw.githubusercontent.com/higgsfield-ai/cli/main/install.sh | sh`
Require explicit user approval before installation, prefer a pinned release or package-manager install, and document the installer in an install spec.
The CLI may use the user’s Higgsfield account, credits, or subscription when generating images.
The skill requires a Higgsfield account session to generate images, which is expected for the provider integration but gives the CLI account-level access.
If `higgsfield account status` fails with `Session expired` / `Not authenticated`, ask the user to run `higgsfield auth login`
Log in only to the intended Higgsfield account and confirm any billing, credit, or privacy implications before use.
Product descriptions or uploaded product photos may be sent to Higgsfield’s backend and image model service.
The skill discloses a provider/backend flow for image generation; product prompts and likely uploaded product images are processed outside the local agent.
The CLI calls a backend prompt enhancer ... then submits to `gpt_image_2` and returns image URLs.
Avoid submitting confidential product images or unreleased campaign details unless the provider’s data handling terms are acceptable.