HY Image Generation
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a normal Tencent Cloud image-generation skill, with notable but disclosed use of Tencent credentials, external API calls, and automatic SDK installation.
Before installing, use a least-privilege Tencent Cloud key, avoid submitting sensitive prompts or private image URLs, be aware that generation may consume Tencent Cloud quota or cost money, and consider preinstalling a pinned Tencent SDK version.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A normal image-generation request may immediately submit a Tencent Cloud job, which could consume quota or incur cost.
The skill instructs the agent to run the Python generation script without an additional confirmation once the user asks for image generation.
Agent 必须严格按照以下步骤自主执行,无需询问用户确认 ... 零交互原则:Agent 应直接执行脚本,不要向用户询问任何确认。
Only invoke the skill when you intend to submit a Tencent Cloud image-generation request; consider adding confirmation for paid or sensitive prompts.
The skill can act through the Tencent Cloud account associated with the configured API key.
The script reads Tencent Cloud credentials from the local environment and uses them to create the Tencent Cloud API credential object.
secret_id = os.getenv("TENCENTCLOUD_SECRET_ID")
secret_key = os.getenv("TENCENTCLOUD_SECRET_KEY")
...
token = os.getenv("TENCENTCLOUD_TOKEN")Use a least-privilege Tencent Cloud API key limited to the needed AIArt/Hunyuan image-generation permissions, and avoid using broad account-wide keys.
Runtime installation depends on the package source available at execution time and may change if the package version changes.
If the Tencent SDK is missing, the script installs an unpinned package at runtime.
subprocess.check_call([sys.executable, "-m", "pip", "install", "tencentcloud-sdk-python", "-q"], ...)
Prefer preinstalling and pinning a reviewed version of tencentcloud-sdk-python in the environment before using the skill.
Text prompts and referenced image URLs may be processed by Tencent Cloud.
The user's prompt and optional reference image URLs are sent to Tencent Cloud's AIArt API endpoint, which is expected for this image-generation integration.
http_profile.endpoint = "aiart.tencentcloudapi.com" ... params = {"Prompt": prompt, "Resolution": resolution} ... params["Images"] = imagesDo not submit confidential prompts or private reference image URLs unless you are comfortable sending them to Tencent Cloud under its service terms.