Back to skill
Skillv1.0.0
ClawScan security
ImaginePro AI Image Generation API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 22, 2026, 9:33 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and required credential line up with its stated purpose (wrapping the ImaginePro image-generation API) and do not request unrelated permissions or perform surprising actions.
- Guidance
- This skill appears to be a straightforward CLI wrapper for the ImaginePro API. Before installing: 1) Verify the provider (https://platform.imaginepro.ai) and confirm you trust them with image generation usage and billing. 2) Treat IMAGINEPRO_API_KEY like any secret — avoid pasting it into public places and only grant the minimum required permissions in the provider dashboard. 3) Be cautious when using webhookOverride or supplying callback URLs — those endpoints will receive generation results and must be trusted. 4) Note the metadata lists curl even though the shipped Python script uses only the stdlib; that is unnecessary but not dangerous. If you rely on this skill in an automated agent, ensure network access and billing limits are acceptable to avoid unexpected charges.
Review Dimensions
- Purpose & Capability
- okName/description (ImaginePro image generation) match the code and SKILL.md: the script calls https://api.imaginepro.ai/api/v1 endpoints and exposes Midjourney/Flux/Nano Banana/Lumi Girl/video features. The single required env var (IMAGINEPRO_API_KEY) is appropriate for an API client. The only mild mismatch is that metadata lists curl as a required binary even though the included Python CLI uses the stdlib urllib — curl is unnecessary but not harmful.
- Instruction Scope
- okSKILL.md and the CLI focus on submitting generation requests, polling status, upscaling, background removal, and prompt enhancement. The runtime instructions only require the IMAGINEPRO_API_KEY and do not instruct reading unrelated files, enumerating system state, or exfiltrating data. WebhookOverride is supported (user-provided callback URL) — normal for async APIs but users should avoid forwarding secrets to untrusted endpoints.
- Install Mechanism
- okThere is no install specification (instruction-only skill) and the Python helper is zero-dependency. Nothing is downloaded from third-party URLs and no archives are extracted. This is low-install risk.
- Credentials
- okOnly IMAGINEPRO_API_KEY is required and is the documented bearer token used for API calls. No other credentials, config paths, or broad-scoped secrets are requested. The primaryEnv matches the declared requirement.
- Persistence & Privilege
- okThe skill does not request always: true, does not modify other skills or system-wide configs, and does not persist credentials on disk. Autonomous invocation is allowed (platform default) but is not combined with other red flags.