image-generator-custom
PassAudited by ClawScan on May 1, 2026.
Overview
This skill does what it says—calls a user-configured image-generation API and saves returned images—but users should review the external provider and API key handling.
Before installing, confirm you trust the image API provider, use a limited API key, avoid sensitive prompt content, and run the skill from a directory where saving generated PNG files is acceptable.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The configured API key may authorize paid or account-bound image generation requests to the selected provider.
The script reads a provider API key from environment or credential-style variables and uses it as a Bearer token. This is expected for an image-generation API, but the registry metadata lists no required environment variables or primary credential.
api_key = get_env_var("IMAGE_API_KEY") ... "Authorization": f"Bearer {api_key}"Use a dedicated, least-privilege API key for the intended provider and verify the API URL before use.
Any sensitive details placed in the image prompt may be shared with the configured image-generation provider.
The prompt and generation parameters are sent to a user-configured third-party API endpoint. This is central to the skill's purpose, but it creates an external data boundary.
response = requests.post(api_url, headers=headers, json=data, timeout=120)
Only use providers you trust and avoid including confidential information in prompts unless the provider's data handling is acceptable.
The skill can create local image files based on content returned by the external provider.
When the API returns an image URL, the script downloads it and writes it to a local PNG file. This is purpose-aligned, but users should trust the configured provider and choose output names carefully.
img_response = requests.get(img_url, timeout=60) ... saved = save_image(img_response.content, filename)
Run it in an intended working directory and use clear output prefixes to avoid placing generated files somewhere unexpected.