Jimeng-Image-Generater
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is a coherent Volcengine Jimeng image-generation wrapper with optional Feishu sending, but users should notice the required Volcengine keys and local Feishu message gateway.
Install only if you are comfortable providing Volcengine API keys and sending prompts/reference image URLs to Volcengine. If you use the Feishu option, verify the recipient and that the localhost message service is trusted.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill gives it the ability to spend or act through the configured Volcengine account for the requested image-generation calls.
The skill requires Volcengine account credentials even though the registry metadata lists no required environment variables or primary credential.
export VOLCENGINE_AK="你的AccessKeyID" export VOLCENGINE_SK="你的SecretAccessKey"
Use a dedicated, least-privilege Volcengine key if possible, monitor usage/billing, and remove the environment variables when not needed.
If a target is provided, the prompt and generated image URL are handed to the local Feishu gateway and may be sent to the specified recipient.
Optional Feishu delivery is implemented by posting prompt text, recipient target, and generated image URL to a localhost message gateway whose identity and permissions are not described.
curl -s -X POST "http://localhost:18789/message" ... "channel": "feishu", "target": "$target", "message": "$caption", "media": "$image_url"
Only use the Feishu target option when you trust the local service on port 18789 and have checked the recipient.
Unusual prompt, URL, or target text could cause failed requests or unintended payload fields, especially when sending through the Feishu gateway.
The shell script constructs JSON by string interpolation with user-provided prompt and URL values, which can break or alter requests if those values contain quotes or JSON control characters.
req_body="{\"req_key\":\"jimeng_t2i_v40\",\"prompt\":\"$prompt\",\"image_urls\":[\"$image_url\"],\"force_single\":$force_single}"Avoid passing untrusted raw JSON-like text as arguments; the maintainer should build payloads with a JSON encoder rather than shell string concatenation.