Baoyu Image Gen
PassAudited by ClawScan on May 10, 2026.
Overview
This image-generation skill is mostly purpose-aligned, but the reviewed package does not include the script it says it will run and it may send selected prompts or images to external AI providers.
Install only if you trust the package source and can verify the missing runtime script is present in the actual installation. Review any EXTEND.md preference file in the project, use least-privilege provider credentials, and avoid sending sensitive prompts or reference images to external AI providers unless you accept their policies.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may not work as documented, and the actual image-generation implementation is not available for review in these artifacts.
The supplied file manifest lists only SKILL.md and references/config/first-time-setup.md, so the central script the agent is told to run is absent from the reviewed package.
Script path = `{baseDir}/scripts/main.ts`Before using provider credentials or sensitive prompts, verify that the installed package includes the expected scripts/main.ts file from a trusted source.
If bun is not already installed, npx may download and run a runtime package before attempting generation.
The skill is designed to execute a local TypeScript script using bun, with an npx fallback that may fetch the bun runtime. This is aligned with a CLI-based image-generation skill but is still local command execution.
Resolve `${BUN_X}` runtime: if `bun` installed → `bun`; if `npx` available → `npx -y bun`Prefer a trusted, already-installed bun runtime or review the command path before first use.
You may still need API keys or provider account configuration, and image generation may incur provider charges.
The skill is described as API-based image generation across multiple providers, but the registry metadata does not declare provider credentials. This looks like an under-declared optional integration requirement rather than evidence of credential misuse.
Required env vars: none; Env var declarations: none; Primary credential: none
Use provider credentials with the least necessary scope and check provider billing/data-retention settings.
Prompts and selected reference images may be shared with third-party AI providers.
The skill is explicitly designed to send generation requests to external provider APIs. The visible instructions also support reference-image workflows, so selected prompt and image content may leave the local environment.
Supports OpenAI, Google, OpenRouter, DashScope (阿里通义万象), Jimeng (即梦), Seedream (豆包) and Replicate providers.
Do not use confidential prompts or images unless the selected provider’s data handling policy is acceptable.
A project-local EXTEND.md can change default provider, model, quality, or batch settings for future image generation.
The skill loads persistent project or user preferences before generation. This is disclosed and useful, but project-level files can influence model/provider defaults across runs.
Check EXTEND.md existence (priority: project → user) ... Found | Load, parse, apply settings.
Review .baoyu-skills/baoyu-image-gen/EXTEND.md in unfamiliar projects and keep preference files limited to documented settings.