image2

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed image-generation API client; the main cautions are third-party processing and optional plaintext local API-key storage.

Install only if you trust kexiangai.com with your prompts, reference image URLs, and generated-task metadata. Prefer setting X_API_KEY only for the current session; if you use the local key helper, treat ~/.config/image2/.env as a sensitive plaintext secret and remove or rotate the key when no longer needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Rogue AgentSelf-Modification, Session Persistence
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Credential Access

High

Category: Privilege Escalation
Content: secrets: primary: "X_API_KEY" storage: optional: ["~/.config/image2/.env (only when user explicitly enables --use-local-key)"] --- ## 安全声明（ClawHub 扫描友好）
Confidence: 91% confidence
Finding: .env

Session Persistence

Medium

Category: Rogue Agent
Content: ### 首次配置（只需一次） ```bash mkdir -p ~/.config/image2 cat > ~/.config/image2/.env << 'EOF' X_API_KEY=你的x-api-key EOF
Confidence: 87% confidence
Finding: mkdir -p ~/.config/image2 cat > ~/.config/image2/.env << 'EOF' X_API_KEY=你的x-api-key EOF chmod 600 ~/.config/image2/.env ``` ## 核心接口详细字段说明见 `references/api-guide.md`。 ```bash curl --location 'http

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal