Creatok Generate Image
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill appears to do the disclosed image-generation task using CreatOK, with expected API-key use, provider calls, optional reference-image upload, and local result artifacts.
Before installing, make sure you trust CreatOK with the prompts and any reference images you provide, understand that confirmed generations may consume credits, and know where local artifacts are stored if you need to remove them later.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Starting a generation may consume CreatOK credits or incur cost.
The skill can trigger paid image-generation API calls, but it explicitly discloses this and requires a confirmation gate.
Must request **user confirmation** before triggering any paid/high-cost image generation call.
Confirm the model, image count, resolution, and estimated credits before approving generation.
The skill can act against the user's CreatOK account within the permissions of the configured API key.
The skill uses the declared CreatOK API key as its provider credential, which is expected for this integration.
const apiKey = process.env.CREATOK_API_KEY; ... openSkillsKey: String(apiKey)
Use a CreatOK API key intended for this purpose and rotate or remove it if you no longer use the skill.
Reference images and prompts used for generation are sent outside the local machine to CreatOK's service.
When reference images are provided, the skill reads the selected local image file and uploads it to a presigned URL returned by CreatOK.
const file = await fs.readFile(filePath); ... await fetch(upload.presignedUploadUrl, { method: 'PUT', headers: { 'Content-Type': fileType }, body: file })Only provide reference images and prompts you are comfortable sending to CreatOK.
Task IDs, image URLs, status data, and provider responses may remain on disk after generation.
The skill intentionally stores generation metadata and raw results locally for recovery and output tracking.
Write: `outputs/result.json` with `task_id/status/images/raw` ... Persist the `task_id` immediately after submission so the user can recover later.
Delete the generated .artifacts directory if task details or image URLs are sensitive.