Back to skill
Skillv1.0.0
ClawScan security
Draw Images By Apiyi · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 28, 2026, 11:08 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements, install steps, and runtime instructions match its stated purpose (calling APIYI to generate images) and request only the expected API key and a CLI runtime.
- Guidance
- This skill appears coherent, but review these practical points before installing: 1) Trust the API provider (https://apiyi.com) — the skill will send your prompts and API key to that service; use an API key with limited scope if possible. 2) The script downloads an image from a URL returned by the service and writes files to the workspace or any absolute path you specify — avoid giving absolute paths you don't trust. 3) The skill requires the 'uv' runtime (installed via Homebrew) and will pull Python dependencies (openai, requests, pillow) when run; verify those packages and the uv formula are acceptable in your environment. 4) Keep your API key secret (do not paste it into public places); the skill accepts the key via env var or CLI arg. 5) If you do not want the agent to call this skill autonomously, control invocation or disable it in your agent settings.
Review Dimensions
- Purpose & Capability
- okName/description ask to generate images via APIYI and the skill only requires the APIYI_API_KEY and the 'uv' runtime used to run the included Python script. No unrelated credentials or binaries are requested.
- Instruction Scope
- okSKILL.md and the Python script limit actions to contacting APIYI, downloading the returned image URL, saving the image to the specified path, and printing a MEDIA: line for attachment. There are no instructions to read unrelated files, enumerate system secrets, or transmit data to other endpoints.
- Install Mechanism
- okInstall uses a Homebrew formula ('uv') which is an expected low-risk mechanism for providing the required runtime. The skill does not download arbitrary archives or run obscure installers. Python dependencies are declared in the script comments (likely managed by the uv runtime).
- Credentials
- okOnly APIYI_API_KEY is required and is declared as the primary credential. The script also accepts an --api-key override. No other secrets or unrelated environment variables are requested.
- Persistence & Privilege
- okThe skill is not always-enabled and is user-invocable. It does not request permanent presence, nor does it modify other skills or system-wide settings.