AI Image Generator & Editor — GPT Image 2, Nanobanana, ComfyUI
PassAudited by ClawScan on May 13, 2026.
Overview
The skill is coherently documented for AI image generation, but users should trust the external MCP package and protect provider keys and selected images.
Before installing, verify the external `meigen@1.3.1` MCP package, use only API keys you are comfortable granting to this provider workflow, and pass only reference images you intend to share with the selected image service.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill as documented will run external MCP server code from npm.
The runtime depends on an external npm MCP package. It is pinned and disclosed, but the package code itself is not included in the provided artifacts.
"command": "npx", "args": ["-y", "meigen@1.3.1"]
Use this only if you trust the package and publisher; verify the npm/GitHub source and keep the version pinned.
A leaked or misused token could consume credits or access the configured provider account.
The skill uses provider credentials for paid or account-backed image generation. This is expected for the purpose, but it grants access to external provider accounts.
To unlock image generation, configure one of these providers: `MEIGEN_API_TOKEN`, `openaiApiKey` + `openaiBaseUrl` + `openaiModel`
Use least-privileged API keys where possible, store them only in local config/env files, and revoke keys if you stop using the skill.
Images you choose as references may be sent to a cloud provider unless you are using the local ComfyUI path.
The tool can read user-specified local reference images and provide them to the configured image provider. The artifacts describe this as user-initiated and purpose-aligned.
Pass local file paths directly in `referenceImages` — images are auto-compressed locally ... and prepared for the selected provider.
Only pass files you intend to share with the selected provider, and use local ComfyUI for images that should stay on-device.
Mistaken tool use could alter or remove workflow templates you rely on.
The skill can mutate or delete local ComfyUI workflow templates. This matches the stated workflow-management purpose but is a local data-changing capability.
`comfyui_workflow` | List, view, import, modify, and delete ComfyUI workflow templates.
Back up important ComfyUI workflows and confirm destructive workflow actions before running them.
Saved preferences or style notes may affect future outputs and could reveal creative preferences if the local config is shared.
The skill can persist user preferences that may influence later image-generation tasks. This is disclosed and aligned with customization.
`manage_preferences` | Save and load user preferences (default style, aspect ratio, style notes, favorite prompts).
Avoid saving sensitive notes as preferences and clear or edit saved preferences when they are no longer desired.