SiliconFlow Image Gen
PassAudited by ClawScan on May 1, 2026.
Overview
The skill matches its stated image-generation purpose, but users should notice that it uses a SiliconFlow API key, reads OpenClaw config for that key, and runs curl to call/download from the service.
Before installing, confirm you are comfortable sharing image prompts with SiliconFlow, using a SiliconFlow API key, and potentially incurring paid-model costs. Prefer a dedicated API key and safe local output paths.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A SiliconFlow API key can authorize image-generation requests and may incur usage costs, especially with paid models.
The script uses a SiliconFlow credential from the environment or OpenClaw config. This is expected for the service and the code does not show logging or unrelated use of the key, but it is still sensitive account authority.
api_key = os.environ.get("SILICONFLOW_API_KEY") ... config_path = os.path.expanduser("~/.openclaw/openclaw.json") ... api_key = siliconflow.get("apiKey")Use a dedicated, revocable SiliconFlow API key, monitor usage, and avoid installing the skill if you do not want it to access that provider credential.
Prompts are sent to SiliconFlow, and generated image downloads can be saved locally when an output path is provided.
The skill runs local curl commands to call the SiliconFlow API. This is central to the skill’s purpose and uses argument lists rather than shell interpolation, but it is still local command execution and external network use.
curl_cmd = ["curl", "-s", "-X", "POST", f"{API_BASE_URL}/images/generations", ... "-d", json.dumps(data)] ... subprocess.run(curl_cmd, capture_output=True, text=True)Only use prompts you are comfortable sending to SiliconFlow, and choose output paths that will not overwrite important files.
Install-time metadata may not fully warn you that credentials and curl are needed.
The registry metadata does not advertise the API key/config requirement or curl dependency that the included package files show. This appears to be an under-declaration rather than hidden behavior because the files disclose the same requirements.
Required binaries (all must exist): none ... Required env vars: none ... Primary credential: none
Review SKILL.md and scripts/generate.py before providing credentials, and ensure curl is available if you intend to use the script.