ClawHub
Back to skill
v1.0.1

qwenz-image-gen

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:32 AM.

Analysis

This image-generation skill is coherent and purpose-aligned, but it uses your Alibaba DashScope API key and sends prompts to Alibaba's service.

GuidanceThis skill appears safe to use for its stated purpose. Before installing, make sure you trust Alibaba DashScope for your prompts, use an API key you are comfortable authorizing for image generation, and avoid placing sensitive information in prompts or plaintext configuration files.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
scripts/generate.py
key = os.environ.get("DASHSCOPE_API_KEY") ... match = re.search(r'DASHSCOPE_API_KEY:\\s*(\\S+)', content) ... "Authorization": f"Bearer {api_key}"

The script reads a DashScope API key from the environment or TOOLS.md and uses it as a bearer token for the image-generation API.

User impactThe skill can use your Alibaba DashScope account credentials, which may consume quota or incur charges.
RecommendationUse a dedicated, least-privileged API key if possible, keep it private, and remove it from TOOLS.md or the environment when no longer needed.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
scripts/generate.py
conn = http.client.HTTPSConnection("dashscope.aliyuncs.com", timeout=120) ... conn.request("POST", "/api/v1/services/aigc/multimodal-generation/generation", body=json.dumps(payload), headers=headers)

The script sends the user-provided prompt and generation parameters to Alibaba DashScope, which is expected for this image-generation purpose.

User impactYour image prompt and generation settings are transmitted to Alibaba Cloud.
RecommendationAvoid putting private, confidential, or regulated information into prompts unless you are comfortable sharing it with the provider under its terms.