Al Image Generation
PassAudited by ClawScan on May 1, 2026.
Overview
The skill appears to be a straightforward ShortAPI image-generation integration, with expected API-key and remote-document use but no artifact-backed malicious behavior.
Before installing, be comfortable giving the agent access to a ShortAPI API key and letting it create image-generation jobs that may consume credits. Treat fetched model documents as parameter references, supply callback URLs only yourself, and note that the visible instructions use both `shortapi.ai` and `api.shortapi.ai`.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill can make authenticated ShortAPI requests and may consume account credits or quota.
The skill uses a ShortAPI API key to authorize image-generation job creation and status queries. This is expected for the service integration, but it gives the skill account-level API authority.
Include the Bearer token in the `Authorization` header ... `Authorization: Bearer $SHORTAPI_KEY`
Provide SHORTAPI_KEY only through the expected environment variable, use an account/key you are comfortable using for image generation, and monitor API usage.
Remote model documentation can affect which parameters the agent sends to ShortAPI.
The skill intentionally pulls remote Markdown into the agent's context to determine request parameters. This is central to the skill's purpose, but the fetched document should be treated as schema/reference material rather than unrestricted instructions.
You **MUST** first fetch the detailed skill document for the specific `<model_id>` ... This URL will return a Markdown (`.md`) text document ... You must parse it
Use the fetched model document only to identify allowed input fields and examples; ignore unrelated behavioral instructions if they appear in remote documentation.
A user may not realize that the skill uses both `shortapi.ai` for model documents and `api.shortapi.ai` for job APIs.
The artifact discloses a mandatory fetch from `shortapi.ai` but later says the skill only communicates with `api.shortapi.ai`. This is an imprecise endpoint-isolation statement, though both hosts are visibly associated with ShortAPI.
GET https://shortapi.ai/api/skill/<model_id> ... **Endpoint Isolation**: This skill only communicates with `https://api.shortapi.ai`.
Document both hostnames clearly and keep credentials limited to the authenticated API endpoint as described.