ClawHub

ai lmage

PassAudited by ClawScan on May 1, 2026.

Overview

This instruction-only skill appears to be a disclosed AI image-generation API wrapper, but users should understand that prompts, optional input images, and generated image links go to an external service.

Install only if you trust the configured AI_IMAGE_HOST, keep AI_IMAGE_API_KEY private, and avoid sending sensitive images or prompts unless you are comfortable with the service storing and returning generated results through remote URLs.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low
#ASI03: Identity and Privilege Abuse
What this means

Anyone using the skill must configure or rely on an API key that authorizes image-generation requests.

Why it was flagged

The skill requires a service API key for calls to the image-generation API. This is expected for the stated integration, but the key grants access to the configured service and should be protected.

Skill content
Auth: every request must include header `x-api-key` with the value of `AI_IMAGE_API_KEY`
Recommendation

Use a scoped API key, do not share it in prompts or logs, and confirm the configured host is the intended service.

Low
#ASI07: Insecure Inter-Agent Communication
What this means

Private prompts or source images submitted through the skill may be processed by the configured remote service.

Why it was flagged

The skill sends prompts and optionally base64-encoded input images to a configured external host. This is central to image generation, but users should recognize that submitted content leaves the local agent environment.

Skill content
Base URL: value of the `AI_IMAGE_HOST` environment variable ... `POST /generate` ... `input_image_base64`
Recommendation

Avoid submitting sensitive personal, confidential, or copyrighted images unless you trust the configured host and its data handling.

Low
#ASI06: Memory and Context Poisoning
What this means

Generated image metadata or result links may remain available after the immediate task completes.

Why it was flagged

The async workflow stores job status and results outside the immediate request lifecycle. This is expected for polling, but the artifact does not describe retention or access controls for the persisted results.

Skill content
task status + result are persisted in KV (not in-memory)
Recommendation

Check the service’s retention and access policies before generating sensitive images.