Image Generator
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a generic API_KEY environment variable contains a non-SiliconFlow secret, it could be used in a SiliconFlow request when the skill runs.
The script loads an API key from the environment and sends it as the Bearer token to SiliconFlow. This is expected for the integration, but the generic API_KEY fallback is broader than a service-specific credential name.
for name in ('SILICONFLOW_API_KEY', 'API_KEY'):
v = os.environ.get(name)
...
'Authorization': f'Bearer {load_key()}',Use SILICONFLOW_API_KEY for this skill and avoid relying on a generic API_KEY; the skill metadata should also declare the credential expectation.
Any file provided as image_path will be sent to SiliconFlow as the reference image content.
For image-to-image generation, the script reads the user-supplied local image path, embeds the file in the API payload, and posts it to SiliconFlow. This matches the stated purpose but crosses a local-to-provider data boundary.
if body.get('image_path'):
p = pathlib.Path(body['image_path'])
data = base64.b64encode(p.read_bytes()).decode('ascii')
...
resp = requests.post(API_URL, headers=headers, json=payload, timeout=180)Only provide intended non-sensitive image files, and avoid pointing image_path at private documents or unrelated local files.