Jimeng AI
PassAudited by ClawScan on May 10, 2026.
Overview
This skill appears to do what it claims—generate images and videos through VolcEngine Jimeng AI—but it uses cloud API credentials, sends prompts to the provider, and stores task data locally.
This skill is reasonable to install if you intend to use VolcEngine Jimeng AI. Before installing, prepare least-privileged or temporary VolcEngine credentials, avoid debug mode in shared logs, remember that prompts are sent to VolcEngine, and clean up local output folders if prompts or generated media are sensitive.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can act against the user's VolcEngine account for Jimeng generation requests and may consume paid quota depending on the account configuration.
The skill needs VolcEngine account credentials to sign API requests. This is expected for the integration, but users should treat these as sensitive cloud credentials, especially because the registry metadata supplied for review declares no credential requirement.
| `VOLCENGINE_AK` | **必需** | 火山引擎 Access Key | ... | `VOLCENGINE_SK` | 条件必需 | 火山引擎 Secret Key |
Use a least-privileged or temporary VolcEngine credential where possible, avoid sharing the environment that contains the keys, and verify the provider account permissions before use.
Debug logs could reveal sensitive prompts or partial credential-related request data to anyone who can read the terminal or logs.
When DEBUG or --debug is enabled, the script logs the request body and the beginning of the signed request URL. This appears intended for troubleshooting, but it may expose prompts and some authentication query material in logs.
if (process.env.DEBUG) { console.error('Debug - Request URL:', url.slice(0, 200) + '...'); console.error('Debug - Request Body:', payload); }Do not enable debug mode in shared terminals, CI logs, support transcripts, or other places where logs may be retained or viewed by others.
A prompt submitted through the skill is sent to VolcEngine and may create a billable or quota-consuming generation task.
Running the tool with a new prompt submits a remote generation task. This is the stated purpose, but it is a real account-impacting action.
使用新提示词运行时,脚本将: 1. 向 API 提交任务
Invoke the skill only when you intend to submit the prompt to VolcEngine, and review account quota or billing settings if cost matters.
Sensitive or private prompts may remain in local output folders after generation completes.
The skill persists task parameters, API responses, and task IDs locally so later runs can resume or query the same task. This is disclosed, but task parameters may include the user's prompt.
保存 `param.json`、`response.json` 和 `taskId.txt` ... output/ └── <md5(prompt)>/
Avoid entering confidential prompts unless local storage is acceptable, and delete the output folders when you no longer need the task history.
Installing the skill's dependencies depends on the npm packages and registry resolution used at install time.
The documented setup uses npm dependencies. This is normal for a TypeScript CLI, and package.json shows no install-time scripts, but installing still pulls third-party packages.
"dependencies": { "axios": "^1.6.0", "crypto-js": "^4.2.0" }, "devDependencies": { ... "ts-node": "^10.9.0", "typescript": "^5.0.0" }Install in a normal user workspace, keep the provided lockfile, and review dependency changes if the package is updated.