hd-txt2img-v2L
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill can create image-generation tasks under the user's Hidream account.
The script submits an image-generation task to Hidream using user-provided parameters. This matches the stated purpose, but it is still an external API action that can affect account quota or cost.
submit_resp = requests.post(gen_task_url, json=payload, headers=headers, timeout=30)
Use it only with user-approved prompts and settings, and be aware of any Hidream usage limits or costs.
Anyone who obtains the token may be able to use the associated Hidream account or quota.
The skill uses a bearer token supplied by CLI argument or environment variable. This is expected for the Hidream API, but it is sensitive account access and the registry metadata does not declare a primary credential.
authorization = args.authorization or os.getenv("HIDREAM_AUTHORIZATION", "") ... "Authorization": f"Bearer {authorization}"Prefer an environment variable or secret manager over pasting real tokens into command lines, use a limited-scope token if available, and rotate the token if it appears in logs or shell history.
Sensitive text included in prompts may be processed by the external Hidream service.
The artifact clearly discloses that the user's prompt is sent to Hidream's external API. This is purpose-aligned, but prompt contents leave the local environment.
`POST https://www.hidreamai.com/api-pub/gw/v3/image/txt2img/async` ... `prompt` (string): text prompt
Do not include confidential or regulated information in prompts unless that is acceptable under the user's Hidream agreement and data-handling requirements.