Back to skill
Skillv1.1.1
ClawScan security
Grok Image API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 8, 2026, 10:05 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is a coherent, instruction-only image helper: a local Python script that calls OpenAI-compatible image generation/edit endpoints, saves/downloads images, and expects an API base URL and key (which the registry metadata oddly omits).
- Guidance
- This skill appears to do what it says: a local Python helper to call image generation/edit APIs. Before installing or running it, ensure you: (1) only provide an API base URL and API key for a trusted image service (the script will read IMAGE_API_BASE_URL or GROK_IMAGE_BASE_URL and IMAGE_API_KEY or GROK_IMAGE_API_KEY); (2) are comfortable that editing will upload any local image path you supply to that external service; and (3) note the registry metadata omitted the required env vars — double-check SKILL.md and the script for the exact variable names. If in doubt, run the script in a sandbox or review the code (it's included and uses only the Python standard library).
Review Dimensions
- Purpose & Capability
- noteThe skill name and description match the included script and SKILL.md: it targets POST /v1/images/generations and /v1/images/edits and provides generate/edit/probe actions. One minor inconsistency: the registry metadata lists no required environment variables, but both SKILL.md and the script expect IMAGE_API_BASE_URL (or GROK_IMAGE_BASE_URL) and IMAGE_API_KEY (or GROK_IMAGE_API_KEY). Otherwise the requested capabilities are proportionate to the stated purpose.
- Instruction Scope
- okThe runtime instructions and script are scoped to calling the image endpoints, saving results locally, and (for edits) uploading user-provided image files. The skill reads only the API env vars, accepts file paths supplied by the user, writes output under output/grok-images/, and will download returned URLs by default. There are no instructions to read unrelated system files or to send data to endpoints outside the configured IMAGE_API_BASE_URL.
- Install Mechanism
- okThere is no install spec (instruction-only skill) and the bundled Python script uses only the standard library. Nothing is downloaded from external URLs or installed during skill setup, so installation risk is low.
- Credentials
- noteThe script legitimately requires an API base URL and API key (IMAGE_API_BASE_URL / IMAGE_API_KEY or alternates) to talk to the image service. The proportionality is appropriate for the task. However, the registry metadata did not declare these required environment variables, which is an omission that could mislead users about what secrets the skill needs.
- Persistence & Privilege
- okThe skill does not request persistent or elevated platform privileges (always is false). It does not modify other skills or system-wide agent settings. Autonomous invocation is allowed (default) but not combined with other concerning behaviors.