Back to skill
Skillv1.0.0
ClawScan security
ZenMux Image Gen (Nano Banana 2) · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewMar 3, 2026, 2:09 PM
- Verdict
- Review
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill generally behaves like an image-generation wrapper for ZenMux, but packaging and metadata inconsistencies (missing declared env var) plus a truncated script file reduce confidence and warrant caution before installing.
- Guidance
- This skill appears to implement a legitimate ZenMux image-generation client, but exercise caution: (1) the package metadata does not declare the ZENMUX_API_KEY even though both SKILL.md and the script require it — verify the publisher and why metadata is incomplete; (2) the provided script appears truncated in the bundle listing (file output was cut off), so request or review the full script before running — the missing tail could contain unexpected behavior; (3) follow the SKILL.md advice and do not pass API keys on the command line; set ZENMUX_API_KEY in a secure environment variable instead; (4) confirm network endpoints (the script calls only zenmux.ai) and, if you must run it, do so in an isolated environment/container and inspect the full source; (5) if you need higher assurance, ask the publisher for complete source and a signed release or prefer an official client from zenmux.ai.
Review Dimensions
- Purpose & Capability
- noteThe name, description, SKILL.md, and the script all target ZenMux image generation (Vertex AI/Gemini models). That purpose aligns with the code's network calls to https://zenmux.ai/... and the CLI options. However, the registry metadata claims 'Required env vars: none' whereas SKILL.md and the script explicitly require ZENMUX_API_KEY — this mismatch suggests sloppy metadata or incomplete publishing.
- Instruction Scope
- okRuntime instructions and the script stay within the stated purpose: building a request from a prompt (and optional input image), POSTing to the ZenMux Vertex-like endpoint, and saving returned image bytes. The SKILL.md warns not to pass API keys on the command line (good). The SKILL.md and script do not request unrelated system files, other credentials, or external endpoints beyond zenmux.ai.
- Install Mechanism
- okThis is an instruction-only skill with no install spec; the included script is executed directly. No download/install steps or third-party package pulls are present in the manifest, which reduces install-time risk.
- Credentials
- concernThe code and SKILL.md require a ZENMUX_API_KEY (or --api-key) to call the API, which is proportionate to the task. But the registry metadata declares no required env vars — an inconsistent declaration. Additionally, the script provides a --api-key CLI flag even though the SKILL.md explicitly warns against using it (exposure risk via shell history). No other credentials are requested, which is appropriate.
- Persistence & Privilege
- okThe skill does not request persistent/always-on presence and does not modify other skills or system config. It runs as a normal user-invokable script and does not escalate privileges in the visible code.