Is jau123/creative-toolkit safe?

https://github.com/openclaw/skills/tree/main/skills/jau123/creative-toolkit

91
SAFE

This is a legitimate AI image generation MCP server skill that provides a unified interface for multiple image generation providers. The main security consideration is that it executes external NPM packages, but this is transparent and documented with source code references.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 95/100 · 25%
Code Execution 75/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (2)

MEDIUM Remote NPM Package Execution -25

The skill instructs users to run 'npx meigen@latest' which downloads and executes external Node.js code from npmjs.com. While the skill is transparent about this behavior and provides source code links, this still represents a code execution risk as external code will be downloaded and run on the user's system.

LOW API Credential Handling -20

The skill requires users to configure API tokens (MEIGEN_API_TOKEN) which will be accessible to the MCP server process. This is standard for MCP servers but represents a potential exposure risk if the server process is compromised.