AI 火宝
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches an AI image generator, but it sends prompts, image URLs, and a bearer API key to an under-disclosed chatfire.site endpoint while presenting itself as a Volcengine image skill.
Before installing, confirm that api.chatfire.site is the intended Huobao/Volcengine provider and that you trust it with your prompts, image URLs, and API key. Use a dedicated revocable key, keep generation counts small, avoid sensitive/private image URLs, and prefer environment variables over command-line keys where possible.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may think they are using a Volcengine-branded service while their prompts and generation requests go to a different, under-disclosed domain.
This is the actual endpoint used by the generation script, while SKILL.md describes the skill as a 火山引擎/Volcengine image-generation skill and does not disclose the chatfire.site service domain.
API_URL = "https://api.chatfire.site/v1/images/generations"
Clarify the provider relationship and disclose the exact API endpoint in SKILL.md and metadata before users provide prompts or image URLs.
The API key may grant account usage or billing authority to an external image service the user has not clearly been told about.
The script reads a user API key and sends it as a bearer token to the API endpoint, but the registry metadata declares no required env vars or primary credential and does not bound the credential issuer/destination.
api_key = os.environ.get("HUOBAO_API_KEY") ... "Authorization": f"Bearer {api_key}"Use only a dedicated, revocable, least-privilege API key after verifying that api.chatfire.site is the intended provider; metadata should declare the credential requirement.
A mistaken or automated high count could cause unexpected API usage, quota consumption, or cost if the provider accepts it.
The help text says count is 1-4, but the code accepts any integer and passes it to the API as max_images when greater than 1.
parser.add_argument("--count", "-c", type=int, default=1, help="生成数量 1-4 (默认: 1)") ... body["sequential_image_generation_options"] = {"max_images": count}Enforce the documented 1-4 range in code and require explicit user confirmation for unusually large generation requests.
Users have less information to verify who operates the service or maintains the skill.
No upstream source or homepage is provided. The included code is visible and there are no install downloads, so this is a provenance note rather than direct malicious behavior.
Source: unknown; Homepage: none
Prefer skills with a verifiable homepage or source repository, especially when API keys are required.