ClawHub

Ecommerce Image Asset Generator

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This instruction-only skill is coherent for ecommerce image planning and generation, with only expected notes around optional third-party image providers and API keys.

This skill appears safe to install as an instruction-only ecommerce image planning tool. Before using generation or editing modes, confirm which external provider will be used, avoid sharing sensitive product images unless appropriate, and use scoped provider credentials if image generation requires an API key.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI03: Identity and Privilege Abuse
Low
What this means

Using provider credentials could incur account usage or billing with the chosen image provider.

Why it was flagged

The skill may use a provider API key for image generation. This is expected for the stated provider workflow, and the artifact only asks whether it is configured rather than instructing the user to expose or transmit the key.

Skill content
Ask only for:
- whether `ARK_API_KEY` is already configured;
Recommendation

Use a provider-specific, least-privilege API key where possible and avoid pasting secrets directly into chat unless the platform’s credential handling is trusted.

#ASI07: Insecure Inter-Agent Communication
Low
What this means

Product details, campaign context, source image URLs, or generated outputs may be processed by the selected external provider.

Why it was flagged

The provider workflow involves sending prompts or image references to an external image-generation service and receiving URLs or decoded images. This is disclosed and aligned with the skill’s purpose.

Skill content
Typical flow:
1. Submit task
2. Receive task_id
3. Poll result endpoint
4. Return output URLs or decoded images when done
Recommendation

Do not send confidential unreleased product imagery or sensitive campaign material to a provider unless its privacy, retention, and sharing terms are acceptable.