Cloudflare Image Generation (Free)
ReviewAudited by ClawScan on May 15, 2026.
Overview
Prompt-injection indicators were detected in the submitted artifacts (system-prompt-override); human review is required before treating this skill as clean.
Before installing, create a narrowly scoped Cloudflare Workers AI token, store it only in the documented ACCESS file with restrictive permissions, and understand that prompts will be sent to Cloudflare and optionally to any Ollama host you configure. The provided artifacts do not show malicious behavior, but the visible code excerpt was truncated, so review the complete local file before running it. ClawScan detected prompt-injection indicators (system-prompt-override), so this skill requires review even though the model response was benign.
Publisher note
Skill calls to it's LLM to enhance a prompt or local ollama model then sends the prompt to cloudflare for AI Workers to generate the image and return back to the user. This requires a CloudFlare AI Worker API Key and the CloudFlare Account ID to function.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can use your Cloudflare account token to run Workers AI image generation requests against your account.
The skill reads a Cloudflare Workers AI token and account ID from a local credentials file and uses the token to call Cloudflare's API. This is expected for the stated integration, but it is still sensitive account access.
const content = fs.readFileSync(envPath, 'utf8'); ... return { token: tokenMatch[1].trim(), accountId: accountMatch[1].trim() }; ... 'Authorization': `Bearer ${token}`Use a least-privilege Cloudflare API token limited to Workers AI, keep the credentials file permission-restricted, and revoke or rotate the token if you stop using the skill.
If you enable remote Ollama enhancement, your image prompt may be sent to another machine or service on your network.
Optional prompt enhancement can send the user's prompt to a local or remote Ollama service, including over plain HTTP. This is disclosed and purpose-aligned, but users should understand that prompt text may leave the local agent process.
Ollama prompt enhancement can use either a local or remote Ollama instance. ... --ollama-host http://192.168.1.100:11434
Use local Ollama when possible, only configure trusted remote hosts, avoid putting secrets in prompts, and secure any remote Ollama server with network controls.