GLM-Image-Gen
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a coherent image-generation skill, but it requires your Zhipu API key and sends your prompts to Zhipu's image API.
This skill is reasonable to install if you trust Zhipu and are comfortable using your ZHIPU_API_KEY for image generation. Do not include secrets or highly sensitive information in prompts, monitor API usage or billing, and save generated files only to safe locations.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can use your Zhipu account key to make image-generation requests, which may affect quota or billing.
The skill uses a provider API key from the environment as a bearer credential. This is necessary for Zhipu image generation and the provided code sends it only to the fixed Zhipu API endpoint.
api_key = os.environ.get("ZHIPU_API_KEY") ... "Authorization": f"Bearer {api_key}"Use a Zhipu API key intended for this purpose, protect it like a password, and rotate or revoke it if you stop using the skill.
Any sensitive details placed in an image prompt may be transmitted to the Zhipu API service.
The prompt and generation settings are sent to an external Zhipu provider endpoint. This is disclosed and purpose-aligned, but users should understand that prompt contents leave the local environment.
url = "https://open.bigmodel.cn/api/paas/v4/images/generations" ... payload = {"model": model, "prompt": prompt, "size": size, "quality": quality, "watermark_enabled": watermark}Avoid putting secrets, private personal data, or confidential business details in prompts unless you are comfortable sending them to the provider.
If the save path is set incorrectly, the generated image could overwrite an existing local file.
The optional save feature downloads the returned image URL and writes it to a user-specified file path. This is expected for saving generated images, but it can overwrite a chosen destination path.
if result["ok"] and args.save and result.get("image_url"): ... download_image(result["image_url"], args.save) ... with open(save_path, "wb") as f:Save images only to intended locations, preferably a normal pictures or downloads folder, and avoid overwriting important files.