img2-generate-only
AdvisoryAudited by Static analysis on May 8, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may fail on most systems, or it may run whatever script happens to exist at that path; that script would receive the image prompt and API key.
The skill's runtime depends on a hard-coded absolute-path script, but the supplied package contains no such script or install spec. If invoked, the agent would run unreviewed local code.
python3 /home/ye/.openclaw/workspace/scripts/img2_generate_only.py
Package the script with the skill, provide an install spec, avoid user-specific absolute paths, and review the script before passing real credentials to it.
A real API key could authorize charges or account access with the configured provider, and command-line secrets may be exposed through shell history or process listings.
The skill explicitly requires a provider API key and demonstrates passing it as a command-line argument. This is expected for the image API, but the key is sensitive.
### 3)`api_key` 接口密钥。 ... --api_key "sk-xxxx"
Use only trusted API endpoints, prefer a secret manager or environment-based credential handling, and avoid placing real keys directly in command examples or logs.
Prompts and credentials are sent to the configured endpoint, and files are written to the configured local path.
The skill sends requests to a user-supplied API base URL and writes the generated image to a local output directory. This matches the stated purpose but should be used with trusted inputs.
`base_url` ... `{base_url}/images/generations` ... `output_dir` ... `/tmp/generated-images`Confirm the base URL belongs to the intended provider and choose an output directory that is safe for generated files.