Skillv1.0.0

ClawScan security

Jimeng AI Image Generation · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 16, 2026, 6:54 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill and its files are internally consistent with an image-generation client for Volcengine (Jimeng); the requested binaries and env vars match the declared purpose and there is no unexplained access or suspicious install behavior.
Guidance: This skill appears to be a straightforward Node.js client for Volcengine '即梦' image generation. Before installing/using: 1) Understand that all prompts and any image URLs you supply will be sent to volcengine (visual.volcengineapi.com) and the generated images will be downloaded — do not send private or sensitive images or prompts you do not want sent to an external service. 2) Provide dedicated API keys with the minimum necessary privileges and monitor usage/billing (the service bills per output image). 3) The script will write files to disk when you use --save; run it in a directory you control. 4) Review the included scripts yourself (they are present and human-readable) before running. 5) If you need stronger assurance about provenance, obtain the skill from a known publisher or the official vendor SDK rather than an unknown source.

Purpose & Capability: okName/description match the implementation: the skill is a Node.js client for Volcengine '即梦' image-generation (jimeng) and correctly requires node and the service Access/Secret keys. Required items (node, JIMENG_ACCESS_KEY, JIMENG_SECRET_KEY) are proportionate and expected.
Instruction Scope: okSKILL.md instructs running the included Node script which reads only the declared env vars, sends prompts/optional image URLs to the official visual.volcengineapi.com endpoints, polls for results, and can save returned images to disk. The script makes network requests to the vendor and to image URLs returned by the service (for downloads) — this is expected for the stated purpose.
Install Mechanism: okNo install spec and the package is implemented as a single Node script using only built-in Node modules (crypto, https, fs, etc.). Nothing is downloaded from arbitrary or obscure URLs and no archive extraction or package manager installs are required.
Credentials: okOnly two env vars are required (ACCESS and SECRET) which are exactly the credentials needed to sign requests to the service. No unrelated secrets or system credentials are requested.
Persistence & Privilege: okThe skill does not request always:true, does not modify other skills or system settings, and is user-invocable. It runs on-demand and does not demand persistent elevated privileges.