ClawHub
Back to skill
v1.0.3

GLM-V-Prompt-Gen

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:33 AM.

Analysis

This skill is a coherent prompt-generation helper that uses a Zhipu API key and sends user-provided images or video URLs to the Zhipu vision API.

GuidanceBefore installing, make sure you are comfortable providing a Zhipu API key and sending selected images or video URLs to Zhipu for analysis. The provided artifacts do not show hidden persistence, unrelated data access, or credential exfiltration.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
scripts/prompt_gen.py
"Authorization": f"Bearer {api_key}"

The script uses the configured ZHIPU_API_KEY as a bearer token to authenticate to the Zhipu API, which is expected for this integration but is still sensitive credential use.

User impactThe skill needs access to your Zhipu API key and can make API requests billed or governed by that account.
RecommendationUse a revocable API key, monitor usage, and only install if you trust this skill to call the Zhipu API for prompt generation.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
scripts/prompt_gen.py
API_BASE_URL = "https://open.bigmodel.cn/api/paas/v4/chat/completions"

The script sends prompt-generation requests, including user-provided image data or video URLs, to an external Zhipu API endpoint.

User impactImages you choose to analyze, and video URLs you provide, may be sent to Zhipu’s service for processing.
RecommendationAvoid sending private or sensitive visual content unless you are comfortable with Zhipu processing it under its API terms.