Skill
PassAudited by ClawScan on May 10, 2026.
Overview
This skill coherently generates images through Zhipu AI, with the main user consideration being that it requires and sends a Zhipu API key to the provider.
This appears safe for its stated purpose. Before installing, understand that your prompt and Zhipu API key are used in an external API request, set the key only in a trusted environment, and treat the returned image URL as provider-hosted output.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Prompts submitted for image generation are sent to Zhipu AI's API.
The skill allows curl and jq commands so the agent can make the image-generation API request. This is expected for the stated purpose, but users should know the skill performs an external network call.
allowed-tools: Bash(curl:*) Bash(jq:*)
Use only with prompts you are comfortable sending to Zhipu AI, and review provider terms and privacy expectations.
Anyone with access to the runtime environment or process details on a shared system could potentially observe or misuse the API key.
The script uses the ZHIPU_API_KEY as a bearer token for the official Zhipu API. This is necessary for the integration, but it is a sensitive credential and is under-declared in the registry metadata.
-H "Authorization: Bearer $KEY"
Set ZHIPU_API_KEY only in trusted environments, avoid shared shells where process arguments are visible, and rotate the key if exposure is suspected.