Civitai Generation API
PassAudited by ClawScan on May 10, 2026.
Overview
The skill coherently generates images through CivitAI, but users should notice that it requires a CivitAI API token, installs an unpinned npm package, and writes output files locally.
This looks like a normal CivitAI image-generation helper. Before installing, make sure you trust the `civitai` npm package, set `CIVITAI_API_TOKEN` only if you intend to let the skill use your CivitAI account, and choose output paths carefully so generated images do not overwrite important files.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If installed and invoked with your token configured, the skill can submit image-generation jobs through your CivitAI account.
The skill uses a CivitAI API token to authenticate generation requests. This is expected for the service, but it gives the skill authority to use the user's CivitAI account and may consume account credits or subscription resources.
const apiToken = process.env.CIVITAI_API_TOKEN; ... const civitai = new Civitai({
auth: apiToken,
});Use a revocable/least-privilege CivitAI token if available, monitor usage, and ensure you are comfortable with generation requests being sent to CivitAI.
Installing the dependency may fetch code that was not included in this artifact review.
The skill depends on an npm package installed without a pinned version or lockfile in the provided artifacts. This is central to the stated purpose, but users rely on the current npm package provenance.
npm install civitai
Install from a trusted npm registry, consider pinning a known-good `civitai` package version, and review dependency provenance if using this in a sensitive environment.
A careless invocation could save the generated image over an existing file that the process can write.
The generated image is downloaded to the path supplied via `--output`. This is expected functionality, but an unsafe or accidental path could overwrite a local file.
const outputPath = path.resolve(options.output);
console.log(`Downloading image to: ${outputPath}`);
await downloadImage(result.blobUrl, outputPath);Use a dedicated output directory or explicit image filename, and confirm the output path before running the skill.