Happy IMG2 Direct
PassAudited by ClawScan on May 12, 2026.
Overview
This skill coherently generates images through a configured image provider, but users should notice that it uses provider API credentials and saves prompts/results locally.
Before installing, confirm that the OpenClaw provider configuration points to the image provider you intend to use, that the API key is appropriate for image generation, and that you are comfortable with prompts and generated files being stored locally in run/output directories.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Image-generation requests may consume the configured provider account quota or billing, and the provider receives the prompt.
The skill uses a configured provider API key to authenticate to the image-generation endpoint. This is necessary for the stated purpose, but it is still account-level credential use.
const apiKey=provider.apiKey||(provider.apiKeyEnv?process.env[provider.apiKeyEnv]:''); ... headers:{Authorization:`Bearer ${apiKey}`,'Content-Type':'application/json'}Use a trusted provider configuration and a scoped, revocable API key where possible.
Private or sensitive text included in prompts can remain in local run logs after generation finishes.
The skill stores prompts and run metadata in local JSON files. This is useful for retries/debugging and is consistent with the documented logging behavior, but it means prompt text persists on disk.
(attempt_dir/'request.json').write_text(json.dumps({'prompt': args.prompt, 'task_name': attempt_name, 'provider': args.provider, 'model': args.model, 'size': args.size, 'timeout_ms': args.timeout_ms, 'output': str(output)}, ensure_ascii=False, indent=2), encoding='utf-8')Avoid placing secrets or sensitive personal data in prompts, and delete generated run directories if local retention is not desired.