Image Generator
PassAudited by ClawScan on May 10, 2026.
Overview
This skill coherently wraps SiliconFlow image generation, but users should be aware it uses an API key and can send selected reference images to SiliconFlow.
This appears reasonable to install if you intend to use SiliconFlow for image generation. Set a dedicated SILICONFLOW_API_KEY, avoid using a generic API_KEY unless it is specifically for SiliconFlow, and only pass local reference images that you are comfortable sending to SiliconFlow.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a generic API_KEY environment variable contains a non-SiliconFlow secret, it could be used in a SiliconFlow request when the skill runs.
The script loads an API key from the environment and sends it as the Bearer token to SiliconFlow. This is expected for the integration, but the generic API_KEY fallback is broader than a service-specific credential name.
for name in ('SILICONFLOW_API_KEY', 'API_KEY'):
v = os.environ.get(name)
...
'Authorization': f'Bearer {load_key()}',Use SILICONFLOW_API_KEY for this skill and avoid relying on a generic API_KEY; the skill metadata should also declare the credential expectation.
Any file provided as image_path will be sent to SiliconFlow as the reference image content.
For image-to-image generation, the script reads the user-supplied local image path, embeds the file in the API payload, and posts it to SiliconFlow. This matches the stated purpose but crosses a local-to-provider data boundary.
if body.get('image_path'):
p = pathlib.Path(body['image_path'])
data = base64.b64encode(p.read_bytes()).decode('ascii')
...
resp = requests.post(API_URL, headers=headers, json=payload, timeout=180)Only provide intended non-sensitive image files, and avoid pointing image_path at private documents or unrelated local files.