China Image Gen

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This is a coherent instruction-only image-generation skill, but it uses your SiliconFlow API key/credits and sends prompts to SiliconFlow.

This skill appears safe and coherent for generating images through SiliconFlow. Before installing, be aware that you need to provide a SiliconFlow API key, requests may use paid credits, and your prompts/images will be processed by SiliconFlow; avoid sensitive prompts and make sure command construction safely escapes user text.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI02: Tool Misuse and Exploitation

Low

What this means

Image generation requests may be sent automatically through curl when you ask for an image, and poorly escaped prompt text could break the command or cause unintended shell behavior.

Why it was flagged

The skill instructs the agent to use a raw curl command and insert the user's prompt into a JSON payload. This is central to the skill, but prompt text should be escaped/encoded carefully before being placed in a shell command.

Skill content

curl -s -X POST "https://api.siliconflow.cn/v1/images/generations" ... -d '{ ... "prompt": "YOUR_PROMPT_HERE" ... }'

Recommendation

Use safe JSON construction or careful shell quoting for prompts, and confirm model, size, and image count before making paid API calls.

#ASI03: Identity and Privilege Abuse

Low

What this means

The skill can generate images using your SiliconFlow account and may consume free or paid credits.

Why it was flagged

The skill uses a SiliconFlow bearer token to access the user's account. This is expected for the image-generation service and no credential leakage or unrelated use is shown.

Skill content

Requires a SiliconFlow API key ... export SILICONFLOW_API_KEY="sk-xxxxxxxxxxxxxxxx"

Recommendation

Store the API key securely, rotate it if exposed, and monitor SiliconFlow usage or billing.

#ASI07: Insecure Inter-Agent Communication

Low

What this means

Sensitive prompts or generated image content may be processed by SiliconFlow and exposed through a time-limited link.

Why it was flagged

User prompts are sent to SiliconFlow, and the generated image is returned through a temporary CDN URL. This is purpose-aligned, but it creates a third-party data boundary.

Skill content

"prompt": "YOUR_PROMPT_HERE" ... "url": "https://cdn.siliconflow.cn/generated/xxx.png"

Recommendation

Avoid using private, confidential, or regulated content in prompts unless you are comfortable sending it to SiliconFlow.