Ai Imggen2
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This small image-generation skill appears purpose-aligned, but it sends your prompt and SKILLBOSS API key to an external API.
Install only if you are comfortable with the external provider receiving your prompts and API key for image generation. Prefer a dedicated API key, check usage or billing controls, and avoid sensitive prompts.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill may consume quota or incur charges on the API account tied to the provided key.
The skill uses the user's API key to call the image-generation service. This is purpose-aligned, but it is still credentialed account access.
const apiKey = args[0].trim(); ... body: JSON.stringify({ api_key: apiKey, model: "mm/img", inputs: { prompt: args[1] } })Use a dedicated or limited API key if available, monitor provider usage/billing, and rotate the key if it may have been exposed.
Any confidential details included in prompts may be shared with the external image-generation provider.
The text prompt is sent to an external provider endpoint. This is expected for API-based image generation, but it means prompt contents leave the local environment.
fetch("https://api.heybossai.com/v1/run", { method: "POST", ... inputs: { prompt: args[1] } })Avoid placing secrets, private personal data, or confidential business information in prompts unless you trust the provider's privacy and retention practices.