Baoyu Image Gen

Security checks across static analysis, malware telemetry, and agentic risk

Overview

The skill mostly matches its image-generation purpose, but its Google proxy path builds a shell curl command with API keys and configurable values, creating command-injection and credential-exposure risk.

Install only if you trust the project directory and provider configuration. Check `.baoyu-skills/.env` and EXTEND.md before use, avoid custom base URLs/proxy settings unless intentional, prefer a pinned/trusted Bun installation, and remember that prompts/reference images and API usage go to the selected external provider.

Static analysis

Dangerous exec

Critical

Finding: Shell command execution detected (child_process).

Env credential access

Critical

Finding: Environment variable access combined with network send.

Env credential access

Critical

Finding: Environment variable access combined with network send.

Env credential access

Critical

Finding: Environment variable access combined with network send.

Env credential access

Critical

Finding: Environment variable access combined with network send.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI05: Unexpected Code Execution

High

What this means

A crafted proxy/base-url/model value could cause unintended shell commands to run when Google image generation is used, especially in a project that can influence local environment settings.

Why it was flagged

When a proxy environment variable is present, the provider switches from fetch to a shell command and interpolates proxy, URL, and API-key values without shell escaping.

Skill content

const proxyArgs = proxy ? `-x "${proxy}"` : ""; ... const result = execSync(`curl ... ${proxyArgs} "${url}" ... -H "x-goog-api-key: ${apiKey}" -d @-`, ...);

Recommendation

Avoid using this skill with untrusted project configuration. The publisher should replace shell-string `execSync` with `fetch` or `spawn/execFile` using an argument array and strict validation/escaping.

#ASI03: Identity and Privilege Abuse

Medium

What this means

The Google API key may be exposed to local process inspection or affected by shell-command parsing if proxy mode is triggered.

Why it was flagged

The Google API key is embedded directly in the curl command line when proxy mode is used, rather than only being held inside an HTTP client request.

Skill content

`curl ... -H "x-goog-api-key: ${apiKey}" -d @-`

Recommendation

Do not use proxy mode with sensitive keys unless the implementation is fixed. Prefer direct provider calls, pass secrets outside command-line arguments, and rotate any key you believe was exposed.

#ASI06: Memory and Context Poisoning

Medium

What this means

A project-local config file can influence provider base URLs or proxy settings and may redirect prompts, images, or API credentials to an unintended endpoint.

Why it was flagged

The runtime automatically imports all key/value pairs from a project-local `.baoyu-skills/.env` file into the process environment, not just a narrow allowlist of image-provider settings.

Skill content

const cwdEnv = await loadEnvFile(path.join(cwd, ".baoyu-skills", ".env")); ... for (const [k, v] of Object.entries(cwdEnv)) { if (!process.env[k]) process.env[k] = v; }

Recommendation

Use this only in trusted project directories. The publisher should allowlist supported env keys and require explicit confirmation before honoring custom base URLs or proxy settings from project files.

#ASI04: Agentic Supply Chain Vulnerabilities

Low

What this means

If Bun is not already installed or cached, running the example may fetch and execute an external package version selected at run time.

Why it was flagged

The documented execution path relies on `npx -y bun` without a pinned version or install spec, so the runtime/package provenance is not fully fixed by the skill artifacts.

Skill content

npx -y bun ${SKILL_DIR}/scripts/main.ts --prompt "A cat" --image cat.png

Recommendation

Install Bun from a trusted source or pin the runtime/package version before using the skill with provider credentials.

#ASI07: Insecure Inter-Agent Communication

Low

What this means

Prompts and selected reference images may leave the local machine and be processed by the chosen provider, potentially incurring cost or exposing private content.

Why it was flagged

The skill explicitly supports sending user-selected reference images and prompts to external image-generation providers.

Skill content

`--ref <files...>` | Reference images. Supported by Google multimodal ... and OpenAI edits ...

Recommendation

Only use non-sensitive prompts/images with providers and base URLs you trust, and review provider data-retention terms.