SGLang-Diffusion Image Generation

PassAudited by ClawScan on May 1, 2026.

Overview

This appears to be a straightforward local image-generation helper; the main thing to notice is that it can send your prompt and optional API key to the server URL you choose.

Safe to install if you intend to use a local or trusted SGLang-Diffusion server. Before use, confirm the server URL is one you control or trust, especially if you set SGLANG_DIFFUSION_API_KEY or pass --api-key.

Findings (1)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI03: Identity and Privilege Abuse

What this means

If you configure an API key and point the skill at an untrusted server, that server receives the key and the image prompt. With the default localhost server, this is expected behavior.

Why it was flagged

The helper can read an optional API key and include it as a Bearer token when calling the configured SGLang-Diffusion server.

Skill content

return os.environ.get("SGLANG_DIFFUSION_API_KEY") ... headers["Authorization"] = f"Bearer {api_key}"

Recommendation

Use this only with a trusted SGLang-Diffusion server, and avoid passing an API key to remote endpoints you do not control.