volcengine-image-generate
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a straightforward Volcengine image-generation helper, with some setup and documentation gaps users should notice before use.
Before installing, confirm you trust the skill source, install the Volcengine SDK from a trusted source, set only the intended API key, and remember that prompts are sent to the image provider and generated images are saved locally rather than merely returned as URLs.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill can create image files in the working directory or a directory chosen by IMAGE_DOWNLOAD_DIR.
The script downloads generated image URLs and writes files locally. This is purpose-aligned for image generation, but users should know it creates files rather than only returning a URL.
download_dir = os.getenv("IMAGE_DOWNLOAD_DIR", os.path.expanduser("./")) ... urllib.request.urlretrieve(image.url, filepath) ... print(f"Downloaded to: {filepath}")Run it from an intended folder or set IMAGE_DOWNLOAD_DIR explicitly, and review generated files before sharing or reusing them.
The skill may use your Volcengine/Ark account quota or billing when generating images.
The script reads provider API credentials from environment variables. This is expected for calling Volcengine Ark, but the registry metadata lists no primary credential or required env vars.
api_key = os.getenv("MODEL_IMAGE_API_KEY") or os.getenv("ARK_API_KEY")Use a scoped API key where possible, set it only in the environment where you intend to run the skill, and avoid exposing credentials in prompts or logs.
Users may need to install an additional package, and installing the wrong package source could introduce unrelated risk.
The included code depends on an external SDK, while the supplied install metadata provides no install spec or dependency declaration. This is a setup/provenance gap rather than evidence of malicious behavior.
from volcenginesdkarkruntime import Ark
Install the Volcengine SDK only from an official or otherwise trusted package source, and pin versions if using this in a controlled environment.