TencentCloud Aiart TextToImage
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill coherently provides Tencent Cloud text-to-image generation, but users should notice that it uses Tencent Cloud credentials, calls Tencent’s API, and may auto-install the Tencent SDK.
Before installing, make sure you trust the included scripts, are comfortable sending prompts and reference image URLs to Tencent Cloud, and use a limited Tencent Cloud API key. Consider installing the Tencent Cloud SDK yourself in a controlled environment instead of relying on automatic runtime installation.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A normal image-generation request may immediately call Tencent Cloud and use account quota or incur charges.
The skill instructs the agent to invoke the image-generation script automatically after a user requests image generation. This fits the stated purpose, but it can trigger paid cloud API usage without a second confirmation step.
Agent 必须严格按照以下步骤自主执行,无需询问用户确认 ... Agent 应直接执行脚本,不要向用户询问任何确认。
Install only if you are comfortable with user-requested image generation being executed directly; monitor Tencent Cloud usage and billing.
The skill can act with the permissions of the Tencent Cloud key you provide for AI image generation tasks.
The script uses Tencent Cloud account credentials from environment variables. That is expected for this cloud API integration, and the provided code does not show hardcoded secrets or secret logging.
secret_id = os.getenv("TENCENTCLOUD_SECRET_ID")
secret_key = os.getenv("TENCENTCLOUD_SECRET_KEY")
...
token = os.getenv("TENCENTCLOUD_TOKEN")Use a least-privilege Tencent Cloud key limited to the needed AI image service, avoid sharing keys in chat, and rotate keys if exposed.
First use may modify the local Python environment and trust the current PyPI package version.
The script automatically installs an unpinned Python package at runtime if the Tencent Cloud SDK is missing. This is disclosed and relevant to the skill, but unpinned runtime installs depend on external package provenance.
subprocess.check_call([sys.executable, "-m", "pip", "install", "tencentcloud-sdk-python", "-q"]
Prefer preinstalling or pinning the Tencent Cloud SDK in a trusted environment before using the skill.