Is aprilox/pollinations-image safe?

https://github.com/openclaw/skills/tree/main/skills/aprilox/pollinations-image

87
SAFE

This is a legitimate image generation skill that uses the Pollinations API. The code is well-structured with reasonable input validation and security practices. Minor concerns exist around dynamic command construction and environment file access, but these appear to be used appropriately for the skill's intended functionality.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 75/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (3)

MEDIUM Dynamic Command Construction with eval -20

The script uses eval to construct and execute curl commands dynamically. While input validation is present, this pattern can be risky if variables are not properly sanitized.

LOW Environment File Access for API Keys -15

The script reads .env files to access API keys. While this is legitimate behavior for an API client, it does access potentially sensitive environment variables.

LOW Outbound HTTP Requests with User Input -15

The skill makes HTTP requests to external APIs with user-provided prompts. While URL encoding is applied, this could potentially be used for data exfiltration through prompt content.