Moyu Make Xhs Pics
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill may consume credits or quota on the configured image-generation account.
The skill reads provider API keys from environment variables to call MiniMax or DashScope. This is expected for an image-generation integration, but it gives the skill access to API account credentials.
self.api_key = os.getenv('MINIMAX_API_KEY') ... self.api_key = os.getenv('DASHSCOPE_API_KEY')Use provider keys intentionally, prefer a key with limited scope or quota, and revoke or rotate it if no longer needed.
If the Markdown article contains private or confidential content, parts of it may be sent to MiniMax or Alibaba DashScope.
Prompts generated from the Markdown article are submitted to external image-generation providers. This matches the stated purpose, but it means article text can leave the local environment.
payload = {"model": "image-01", "prompt": styled_prompt, ...}; response = requests.post(self.base_url, json=payload, headers=headers, timeout=120) ... ImageSynthesis.call(api_key=self.api_key, model="qwen-image", prompt=styled_prompt, ...)Only process Markdown files you are comfortable sharing with the selected provider, and review the provider’s privacy and retention terms.
Installation may depend on whatever package versions are current at install time.
The dependency list does not pin package versions, so a future install may pull newer package versions than the author tested. The packages are consistent with HTTP API calls and image processing.
requests dashscope Pillow
Install from a trusted environment, consider pinning dependency versions, and review package provenance before use.