ai lmage
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using the skill must configure or rely on an API key that authorizes image-generation requests.
The skill requires a service API key for calls to the image-generation API. This is expected for the stated integration, but the key grants access to the configured service and should be protected.
Auth: every request must include header `x-api-key` with the value of `AI_IMAGE_API_KEY`
Use a scoped API key, do not share it in prompts or logs, and confirm the configured host is the intended service.
Private prompts or source images submitted through the skill may be processed by the configured remote service.
The skill sends prompts and optionally base64-encoded input images to a configured external host. This is central to image generation, but users should recognize that submitted content leaves the local agent environment.
Base URL: value of the `AI_IMAGE_HOST` environment variable ... `POST /generate` ... `input_image_base64`
Avoid submitting sensitive personal, confidential, or copyrighted images unless you trust the configured host and its data handling.
Generated image metadata or result links may remain available after the immediate task completes.
The async workflow stores job status and results outside the immediate request lifecycle. This is expected for polling, but the artifact does not describe retention or access controls for the persisted results.
task status + result are persisted in KV (not in-memory)
Check the service’s retention and access policies before generating sensitive images.