AI Image Generator & Splitter
WarnAudited by ClawScan on May 10, 2026.
Overview
The image-generation purpose is coherent, but the included local web service exposes high-impact file, shell, and credential-handling behavior that is broader than the stated image workflow.
Only run this skill if you trust the code and keep the service private to your machine. Do not expose port 2688 to a network, avoid entering valuable API tokens until credential logging/persistence is fixed, and restrict uploads/save paths to a dedicated image folder. The open-folder endpoint, arbitrary local-path upload support, and frontend eval should be reviewed or removed before routine use.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the local service is reachable or misused, files from arbitrary local paths could be sent to the external upload service, not just images the user intentionally selected.
The upload service is not limited to browser-selected images; it accepts local absolute paths, reads the file from disk, and uploads the content to the configured provider using a platform token.
支持多种输入格式... 2. 本地绝对路径 - 从硬盘读取文件上传 ... const buffer = fs.readFileSync(filePath); ... axios.post(config.server.upload_url, formData, { headers: { 'Authorization': `Bearer ${platformToken}`Restrict uploads to explicit user-selected image files, validate MIME type and extension, block arbitrary absolute paths by default, and require a clear confirmation before any local file is uploaded.
A crafted request to the local service may be able to trigger operating-system command execution behavior, especially if command arguments are not safely escaped.
The open-folder endpoint takes a path from the HTTP request and the static scan shows it reaches child_process.exec, creating shell-execution risk around a user-controlled path.
app.post('/api/open-folder', (req, res) => { ... const { path: folderPath } = req.body; ... fs.existsSync(folderPath) ... exec(command, (error) => {Avoid shell exec for opening folders; use safer spawn/execFile APIs with argument arrays, restrict paths to the app’s generated image directory, and require local-only authenticated access.
Provider tokens can remain available to later requests while the server runs and may appear in local logs, increasing the impact of any misuse of the local API.
The service persists a request-supplied platform token in process.env and logs the full upload request object, which may include credentials or file data.
const platformToken = data.platform_token || process.env.PLATFORM_TOKEN; ... if (data.platform_token) { process.env.PLATFORM_TOKEN = data.platform_token; } ... console.log(data)Do not log request bodies containing tokens, store credentials in a scoped secret store instead of process.env, and clear or isolate credentials per user/session.
If attacker-controlled script text can enter the loaded UI content, it could run in the browser context and potentially access locally stored API keys.
The frontend dynamically executes text from the DOM, which is not necessary for the stated image-generation purpose and can magnify any HTML/script injection issue.
eval($(this).text());
Remove eval and load trusted scripts through static files or explicit module imports; avoid executing script text extracted from HTML.
Installing later may pull dependency versions that were not the exact versions reviewed here.
The skill depends on standard Node packages for its purpose, but caret ranges and no included lockfile mean npm install may resolve different package versions over time.
"dependencies": { "axios": "^1.13.6", "cors": "^2.8.6", "express": "^5.2.1", "form-data": "^4.0.0", "sharp": "^0.34.5", "sqlite3": "^6.0.1" }Use a lockfile or pinned dependency versions and install only from trusted package registries.