Image Gen
PassAudited by ClawScan on May 1, 2026.
Overview
This image-generation skill appears coherent and purpose-aligned, but users should know it sends prompts/reference images to an external API and uses a local API key file.
This skill looks suitable for its stated image-generation purpose. Before installing, make sure you trust the configured image API provider, protect the IMAGE_API_KEY in the .env file, and avoid sending private or sensitive reference images unless you accept that they will be processed by the external service.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Images or prompts used for generation may be transmitted to the third-party API provider.
The skill discloses sending prompts and reference images to an external image-generation API, which is expected for the feature but may involve sensitive user-provided images.
Base URL: `https://api.imyaigc.top` ... **图生图时**:参考图会转为 base64 传入 API 的 `image` 参数
Only use reference images and prompts you are comfortable sending to the configured provider, and verify the provider’s privacy/data-retention terms.
The configured image API key authorizes requests to the provider and could incur usage or expose account access if mishandled.
The script requires and uses a bearer API key for the image provider. This is purpose-aligned, but users should notice that a credential is involved.
if [[ -z "$IMAGE_API_BASE_URL" || -z "$IMAGE_API_KEY" ]]; then ... -H "Authorization: Bearer ${IMAGE_API_KEY}"Store the API key securely, use a key scoped to image generation if possible, and rotate it if the .env file is shared or exposed.
A malicious or accidentally modified .env file could run shell commands when the helper script is executed.
The shell helper sources the .env file, which means shell content in that file would execute. This is a common setup pattern but the config file must be trusted.
ENV_FILE="$SCRIPT_DIR/.env" ... source "$ENV_FILE"
Create the .env file yourself, keep it private, and avoid pasting untrusted shell content into it; parsing key/value pairs without `source` would be safer.