Image Generate
PassAudited by ClawScan on May 1, 2026.
Overview
This is a straightforward image-generation skill, with minor setup and documentation gaps around credentials, dependencies, and local file output.
Before installing, confirm you are comfortable using an Ark/Volcengine image-generation API key, install the required SDK from a trusted source if needed, and note that generated images are downloaded locally rather than returned only as URLs.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malformed or adversarial prompt could cause problems if an agent builds the shell command unsafely.
The prompt is passed to a local command. This is central to the skill's purpose, but agents should avoid unsafe shell interpolation when the prompt contains quotes or shell metacharacters.
运行脚本 `python scripts/image_generate.py "<prompt>"`
Invoke the script with safe argument passing or careful quoting, and avoid treating prompt text as executable shell content.
The skill can consume quota or access the configured image-generation account associated with the provided API key.
The skill uses API credentials for the image-generation provider. This is expected for this integration, and the artifacts do not show hardcoded keys, logging of secrets, or unrelated credential use.
优先读取 `MODEL_IMAGE_API_KEY` 或 `ARK_API_KEY` 环境变量。
Use a scoped API key where possible and confirm the account, quota, and billing implications before use.
The skill may fail unless the dependency is already installed, and users need to trust the installed SDK source.
The script depends on an external SDK, but the artifact set has no install specification. This is a setup/provenance gap rather than evidence of malicious behavior.
from volcenginesdkarkruntime import Ark
Install the SDK from a trusted source and pin or review the dependency version in environments where reproducibility matters.