Trust Assessment
qwen-image received a trust score of 77/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 4 findings: 0 critical, 1 high, 1 medium, and 1 low severity. Key findings include Suspicious import: http.client, Arbitrary File Write via Path Traversal in --output, Broad Credential Search Path for API Key.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Arbitrary File Write via Path Traversal in --output The `scripts/generate.py` script allows users to specify an output file path using the `--output` argument. This path is directly used in `open(output_path, "wb")` without proper sanitization or validation. An attacker could provide a path like `../../../../tmp/malicious.png` to write files to arbitrary locations on the filesystem, potentially overwriting critical system files or placing malicious content in sensitive directories, assuming the script's execution context has the necessary write permissions. Implement robust path sanitization for the `--output` argument. Restrict output paths to a designated directory, disallow path traversal sequences (e.g., `..`), and ensure the filename itself is safe. A common approach is to use `os.path.basename()` to only take the filename part, or `pathlib.Path.resolve()` with a check to ensure it's within an allowed base directory. | LLM | scripts/generate.py:209 | |
| MEDIUM | Suspicious import: http.client Import of 'http.client' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/irron/qwen-image-skill/scripts/generate.py:13 | |
| LOW | Broad Credential Search Path for API Key The `get_api_key` function attempts to retrieve the `DASHSCOPE_API_KEY` from environment variables, but also from `TOOLS.md` located in the current working directory (`Path.cwd() / "TOOLS.md"`) and a hardcoded path (`/home/admin/clawd/TOOLS.md`). While the documentation explicitly mentions `TOOLS.md` as a configuration option, reading from `Path.cwd()` grants the skill broad access to files in the directory from which it is executed. This could lead to unexpected behavior or unintended disclosure if a `TOOLS.md` file exists in the current directory for other purposes, or if the hardcoded path is not controlled by the skill's owner. Consider restricting the search paths for `TOOLS.md` to known, controlled locations (e.g., skill's own directory or a specific configuration directory). If `Path.cwd()` is necessary, clearly document the implications and prioritize environment variables or a dedicated configuration file over arbitrary `TOOLS.md` files. | LLM | scripts/generate.py:26 | |
| INFO | User Prompt Directly Passed to Remote Image Generation API The `prompt` argument, which is user-controlled input, is directly incorporated into the JSON payload sent to the Alibaba Cloud Bailian image generation API (`dashscope.aliyuncs.com`). While this is the intended functionality of an image generation skill, it means that any malicious or manipulative instructions within the user's prompt would be processed by the remote AI model. This finding is informational as it does not manipulate the *host LLM* (SkillShield) and the remote service is specialized for image generation, limiting the scope of potential "injection" beyond influencing image content. No direct remediation is required for the skill itself, as this is its core function. However, users of the skill should be aware that prompts are sent to a third-party service. If the remote service were a general-purpose LLM, more stringent input validation might be considered to prevent manipulation of the remote model's behavior. | LLM | scripts/generate.py:115 |
Scan History
Embed Code
[](https://skillshield.io/report/5a325b8fb3402e21)
Powered by SkillShield