Cat Selfie

ReviewAudited by ClawScan on May 10, 2026.

Overview

The skill mostly matches its cat-image purpose, but its script builds a shell command from scene prompt text, so customized or tampered prompts could run unintended local commands.

Review this skill before installing. It appears intended to generate cat images, but avoid untrusted custom scene prompts until the shell execution is fixed, verify the separate volcengine-image-generate skill, and be aware that it needs a Volcengine API key and may consume account quota.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium

#ASI05: Unexpected Code Execution

What this means

A malicious or malformed custom scene prompt could make the skill run local commands when generating an image.

Why it was flagged

The prompt is inserted into a shell command string and executed through execSync. Because scene prompts are data and the docs allow custom scenes, a prompt containing shell substitution or quoting characters could cause unintended local command execution.

Skill content

const prompt = selectedScene.prompt;
        const command = `python3 "${IMAGE_GENERATE_SCRIPT}" "${prompt}"`;
...
        execSync(command, {

Recommendation

Replace execSync(command) with execFileSync or spawnSync using an argument array, and validate or treat scene prompt text as untrusted data.

Low

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

If the dependent skill is missing, outdated, or replaced, this skill may fail or run code that was not part of this review.

Why it was flagged

The skill depends on and executes a Python script from a separately installed sibling skill. SKILL.md discloses this dependency, but that dependency is not included in the reviewed artifacts or enforced by an install spec.

Skill content

const IMAGE_GENERATE_SCRIPT = path.join(__dirname, '../../volcengine-image-generate/scripts/image_generate.py');

Recommendation

Install the volcengine-image-generate skill only from a trusted source, review it separately, and declare or pin this dependency in the skill metadata/install requirements.

Low

#ASI03: Identity and Privilege Abuse

What this means

The skill may use your Volcengine account and quota when invoked, and users may not see this requirement from metadata alone.

Why it was flagged

The skill requires a Volcengine API key/configuration to generate images. This is expected for the stated purpose, but registry metadata declares no required environment variables or primary credential.

Skill content

"ARK_API_KEY": "你的火山引擎 API Key",
    "MODEL_IMAGE_NAME": "doubao-seedream-5-0-260128"

Recommendation

Declare the required API key in metadata, keep the key scoped and protected, and expect usage costs or quota consumption when generating images.