pony-image
PassAudited by ClawScan on May 1, 2026.
Overview
No suspicious behavior is evident; the skill is a disclosed image-generation wrapper, but it sends prompts, images, and a Pony/Supabase bearer key to an external backend.
This skill appears coherent and purpose-aligned. Before installing, make sure you are comfortable sharing prompts and product/reference images with the external Pony/Supabase backend, and use a dedicated API key with limited privileges or quota where possible.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill may consume the associated service quota or access whatever the Pony/Supabase key is permitted to access.
The skill requires a bearer credential for its Supabase-backed API calls. This is expected for the service, but it means the agent can make authenticated requests with that key.
Authorization: Bearer $PONY_SUPABASE_ANON_KEY
Use a dedicated, least-privilege key for this skill and monitor usage or billing if the backend charges for image generation.
Commercial product images, reference images, and prompt details may leave the local environment and be processed by the external backend.
The workflow sends prompts and reference/product images, including URLs or Base64 image data, to a disclosed external Supabase functions endpoint.
BASE_URL=https://vecarpahagopuqbwxbjh.supabase.co/functions/v1 ... "referenceImages": ["参考图URL或Base64"] ... "productImages": ["产品图URL或Base64"]
Avoid sending confidential or unreleased assets unless you trust the Pony backend and understand its data handling and retention practices.
Users have less information to verify the operator, documentation, or privacy posture of the external image-generation service.
The registry metadata does not provide a source repository or homepage for independent verification, even though the skill relies on a fixed external backend.
Source: unknown; Homepage: none
Confirm the service provider and trust relationship before installing, especially for business-sensitive image assets.