Grs Image

PassAudited by ClawScan on May 10, 2026.

Overview

This appears to be a straightforward GrsAI image-generation skill, but it uses an API key and sends prompts or reference images to an external service.

Before installing, use a trusted Python environment, keep `GRSAAI_API_KEY` secret, and remember that prompts plus any reference image URL/Base64 data are sent to GrsAI. Choose output paths carefully to avoid overwriting local files.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI02: Tool Misuse and Exploitation

What this means

Prompts and any reference images may be processed by GrsAI rather than staying only on the user's device.

Why it was flagged

The script sends the user's prompt and optional reference image URLs/Base64 content to the external GrsAI image-generation API. This is expected for the stated purpose, but it is still external data sharing.

Skill content

payload = {"model": model, "prompt": prompt, "aspectRatio": ratio, "imageSize": size}; if urls: payload["urls"] = urls ... requests.post(f"{BASE_URL}/v1/draw/nano-banana", ... json=payload)

Recommendation

Use non-sensitive prompts and reference images unless you are comfortable sending them to GrsAI, and review the provider's privacy/retention terms if needed.

Low

#ASI03: Identity and Privilege Abuse

What this means

Anyone with access to the configured environment variable could use the associated GrsAI API access.

Why it was flagged

The script uses a bearer API key from the environment to access the GrsAI API. This credential use is purpose-aligned and disclosed in SKILL.md, but the registry metadata lists no required env vars or primary credential.

Skill content

API_KEY = os.environ.get("GRSAAI_API_KEY", "") ... "Authorization": f"Bearer {API_KEY}"

Recommendation

Store `GRSAAI_API_KEY` as a secret, do not paste it into prompts or shared files, and consider the registry metadata incomplete for credential awareness.

Low

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

The installed dependency version may vary by environment, and users rely on the Python package index/source they install from.

Why it was flagged

The setup instructions install an unpinned Python dependency manually. This is a standard dependency for HTTP API calls and is user-directed, but it carries normal package-provenance/version risk.

Skill content

pip install requests

Recommendation

Install dependencies in a trusted Python environment and pin or review package versions if reproducibility or supply-chain control matters.