critical
suspicious.env_credential_access
- Location
- scripts/image-generator.ts:20
- Finding
- Environment variable access combined with network send.
article-images-gen
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.env_credential_access
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
NoteHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
Your DashScope API key is used to make image-generation requests and could be sent to a non-default endpoint if your environment overrides the base URL.
Why it was flagged
The skill uses an environment API key to authenticate to the image provider. This is purpose-aligned, but users should verify the endpoint, especially because DASHSCOPE_BASE_URL can override the default.
Skill content
const base = process.env.DASHSCOPE_BASE_URL || "https://dashscope.aliyuncs.com"; ... Authorization: `Bearer ${apiKey}`Recommendation
Set DASHSCOPE_API_KEY only for the intended provider account, and verify DASHSCOPE_BASE_URL is unset or points to a trusted DashScope-compatible endpoint.
NoteHigh Confidence
ASI07: Insecure Inter-Agent CommunicationWhat this means
Article headings or extracted prompt details may be sent to DashScope for image generation.
Why it was flagged
Generated prompt text is sent to the external DashScope API. This is disclosed and necessary for the skill, but article-derived prompt content leaves the local machine.
Skill content
content: [{ text: stylePrompt }], ... const res = await fetch(url, { method: "POST", ... body: JSON.stringify(body) })Recommendation
Avoid using this skill on confidential articles unless sending prompt-derived content to DashScope is acceptable.
NoteHigh Confidence
ASI02: Tool Misuse and ExploitationWhat this means
The Markdown article you pass to the script will be changed, with a backup saved alongside it.
Why it was flagged
The skill rewrites the selected article to insert image references, but first creates a backup. This file mutation is disclosed and scoped to the user-provided article path.
Skill content
const backupPath = `${articlePath}.bak-${Date.now()}`; await copyFile(articlePath, backupPath); ... await writeFile(articlePath, newLines.join("\n"));Recommendation
Review the generated backup and diff before committing or publishing the modified article.