Coze Image
PassAudited by ClawScan on May 9, 2026.
Overview
The skill is a straightforward Coze image generator, but it needs your Coze API token, sends prompts to Coze, and can optionally save downloaded images locally.
This skill appears safe for its stated purpose. Before installing, be prepared to install `requests`, configure your own Coze token and workflow ID, keep the token private, avoid sensitive prompt content, and choose any local image save path carefully.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who can read the configured script may see the Coze token, and the token may allow access to the user's Coze API permissions.
The script requires a Coze API token and uses it as a bearer credential for the Coze workflow API; this is purpose-aligned but sensitive.
API_TOKEN = "你的_Coze_API_Token" ... "Authorization": f"Bearer {CONFIG['api_token']}"Use a least-privilege Coze token, avoid sharing or committing the configured file, and prefer environment variables or a local secret manager if possible.
Image descriptions entered by the user are transmitted to Coze for processing.
The user's image prompt is sent to an external Coze API endpoint, which is expected for this image-generation skill.
API_URL = "https://api.coze.cn/v1/workflow/run" ... "parameters": {"input": prompt}Do not include private or sensitive information in prompts unless you are comfortable sending it to Coze under its service terms and privacy practices.
If a poor output path is chosen, the tool could overwrite or create files in unintended locations.
The tool can download the generated image and write it to a user-supplied path when the optional save argument is used.
if save_path: ... os.makedirs(os.path.dirname(save_path) or ".", exist_ok=True) ... open(save_path, "wb")
Only use the `-o` option with an explicit safe path, and avoid protected directories or filenames that may already contain important data.
Dependency installation relies on the user's Python package environment and package index configuration.
The README requires installing the external Python package `requests`, but the supplied artifacts do not include a pinned requirements file or install spec.
pip install requests
Install dependencies from a trusted package index, consider pinning versions, and use a virtual environment.