Moyu Make Xhs Pics

ReviewAudited by ClawScan on May 1, 2026.

Overview

This skill appears purpose-aligned for generating images from Markdown, but it uses third-party image APIs and API keys, so users should avoid sending sensitive articles.

This looks like a normal Markdown-to-image generation skill. Before installing or using it, set only the API key for the provider you intend to use, avoid feeding it confidential Markdown content, and consider pinning dependencies if you need reproducible installs.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI03: Identity and Privilege Abuse

What this means

Using the skill may consume credits or quota on the configured image-generation account.

Why it was flagged

The skill reads provider API keys from environment variables to call MiniMax or DashScope. This is expected for an image-generation integration, but it gives the skill access to API account credentials.

Skill content

self.api_key = os.getenv('MINIMAX_API_KEY') ... self.api_key = os.getenv('DASHSCOPE_API_KEY')

Recommendation

Use provider keys intentionally, prefer a key with limited scope or quota, and revoke or rotate it if no longer needed.

Medium

#ASI07: Insecure Inter-Agent Communication

What this means

If the Markdown article contains private or confidential content, parts of it may be sent to MiniMax or Alibaba DashScope.

Why it was flagged

Prompts generated from the Markdown article are submitted to external image-generation providers. This matches the stated purpose, but it means article text can leave the local environment.

Skill content

payload = {"model": "image-01", "prompt": styled_prompt, ...}; response = requests.post(self.base_url, json=payload, headers=headers, timeout=120) ... ImageSynthesis.call(api_key=self.api_key, model="qwen-image", prompt=styled_prompt, ...)

Recommendation

Only process Markdown files you are comfortable sharing with the selected provider, and review the provider’s privacy and retention terms.

Low

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

Installation may depend on whatever package versions are current at install time.

Why it was flagged

The dependency list does not pin package versions, so a future install may pull newer package versions than the author tested. The packages are consistent with HTTP API calls and image processing.

Skill content

requests
dashscope
Pillow

Recommendation

Install from a trusted environment, consider pinning dependency versions, and review package provenance before use.