Quick Img V2

Security checks across static analysis, malware telemetry, and agentic risk

Overview

The skill mostly matches its image-generation purpose, but it uses a SkillBoss API key, shell commands, and an optional IP-check helper that contacts httpbin.org.

Before installing, make sure you trust SkillBoss with your prompts and API key, expect the agent to use Bash-based curl/node commands, and avoid running the optional IP-check helper unless you want your environment's public IP checked through httpbin.org.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI02: Tool Misuse and Exploitation

Low

What this means

Using the skill may run local shell commands and make network requests to generate images.

Why it was flagged

The skill relies on a Bash shell pipeline to call the image API and parse the response. This is disclosed and purpose-aligned, but it gives the agent a shell-based workflow.

Skill content

allowed-tools: Bash ... curl -s -X POST https://api.heybossai.com/v1/run ... | node -e

Recommendation

Use it only when you expect the agent to call the SkillBoss image API, and be careful if adapting the shell command to include user-supplied prompt text.

#ASI03: Identity and Privilege Abuse

Low

What this means

The API key may authorize image-generation requests and could affect your SkillBoss quota or billing depending on that service.

Why it was flagged

The skill requires a SkillBoss API key and sends it to the SkillBoss API. This is expected for the integration and is disclosed in the artifact.

Skill content

"requires":{"env":["SKILLBOSS_API_KEY"]} ... "api_key":"$SKILLBOSS_API_KEY"

Recommendation

Provide only a SkillBoss key you intend this skill to use, and revoke or rotate it if you no longer trust the skill or service.

#ASI05: Unexpected Code Execution

Low

What this means

If the IP-check helper is run, httpbin.org will receive a request from your environment and can observe its public IP address.

Why it was flagged

The included helper script contacts httpbin.org and prints the public origin IP. It is disclosed by the SKILL.md 'Check IP' command, but it is separate from the main image-generation purpose.

Skill content

const resp = await fetch("https://httpbin.org/get"); ... console.log(data.origin);

Recommendation

Run the IP-check helper only if you actually want that diagnostic; otherwise ignore or remove the helper script.