Grok Image API
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill coherently calls a configured image-generation/editing API and saves returned images locally; users should just be aware it uses an API key, uploads selected images, and writes output files.
This skill appears coherent and purpose-aligned. Before installing or using it, confirm the API base URL is the provider you intend to use, supply only an appropriate API key, avoid sensitive images unless you trust the provider, and save outputs in a safe directory.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using the skill must provide an API key, and requests made with that key may access the configured image service and potentially incur usage charges.
The helper script reads an API key from the environment and attaches it as a bearer token to image API requests, which is expected for this integration but still grants account/API authority.
"Authorization": f"Bearer {api_key}"Use a dedicated, least-privileged API key where possible, verify the base URL before use, and avoid pasting secrets into chats or files.
Prompts, source images, and masks provided for editing may leave the local environment and be processed by the configured API provider.
Image editing sends the selected local image and optional mask to the configured external API endpoint.
For editing, send multipart form data to `/v1/images/edits` with `image` and optional `mask`.
Only use trusted API endpoints and avoid uploading private or sensitive images unless the provider's handling and retention policies are acceptable.
Generated or edited images will be saved locally, and a user-specified output path could overwrite an existing file if chosen carelessly.
The skill downloads provider-returned URLs and writes image files to disk, which is purpose-aligned but affects the local filesystem.
Save the returned image locally. If the API returns a URL, download it locally by default.
Review output paths before running commands and use a dedicated output directory for generated images.
Users have less external provenance information for assessing who maintains the skill.
The registry metadata does not provide an upstream source or homepage, although the supplied artifacts include the full helper script and no install-time dependency fetches.
Source: unknown Homepage: none
Review the included files before installation and prefer trusted distribution channels or maintainers for production use.