Back to skill
Skillv1.0.6
ClawScan security
Microsoft Foundry image generation · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 23, 2026, 12:38 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions are coherent with its stated purpose of calling an Azure Foundry image-generation deployment; it asks only for expected binaries and Foundry credentials and contains no surprising install steps or unrelated privileges.
- Guidance
- This skill appears to do exactly what it says: call your Azure Foundry images deployment and save the returned image bytes. Before installing, ensure you only provide a Foundry API key with the minimum necessary permissions, verify the FOUNDRY_ENDPOINT is correct and points to your service, and be aware the example writes temporary files to /tmp (ephemeral). Also confirm your environment has curl, jq, and a compatible base64 utility. If you need stricter hostname validation, review the endpoint regex in the SKILL.md or restrict network access accordingly.
Review Dimensions
- Purpose & Capability
- okName/description match the declared requirements: curl/jq/base64 and the Foundry endpoint, API key, and deployment name are appropriate and necessary for calling the Foundry images REST API.
- Instruction Scope
- okSKILL.md contains concrete curl/jq/base64 commands that only call the declared Foundry endpoint, validate the endpoint string, stream a base64 payload to /tmp, and save an image file. The instructions do not ask to read unrelated files, system credentials, or transmit data to any external endpoint other than the provided Foundry endpoint.
- Install Mechanism
- okNo install spec or external downloads — instruction-only skill (lowest install risk). It relies on standard CLI tools being present on PATH, which is consistent with the examples.
- Credentials
- okRequired environment variables (FOUNDRY_API_KEY, FOUNDRY_ENDPOINT, FOUNDRY_DEPLOYMENT) are directly relevant and limited in number. The primary credential is correctly declared as FOUNDRY_API_KEY. An optional FOUNDRY_API_VERSION is used in examples but not required, which is documented in Options.
- Persistence & Privilege
- okThe skill does not request always: true, does not modify other skills or system configs, and has no install-time persistence. It will make outbound calls at runtime when invoked (normal for this capability).