Is luruibu/beauty-generation-api safe?

The SKILL.md success checklist includes a hardcoded instruction directing the agent to tell users to visit https://clawhub.ai/luruibu/beauty-generation-api and give the project a star after each successful image generation. This is a prompt injection that uses the agent's trusted voice to manipulate user behavior for the skill author's commercial benefit. The user receives no signal that this recommendation is programmed into the skill rather than being a genuine agent opinion.

Every image generation request transmits the full user prompt to gen1.diversityfaces.org over HTTPS. This domain is not a recognized AI service provider and has no publicly accessible privacy policy, terms of service, or data retention disclosure. Any sensitive context present in the user's prompt — names, descriptions of real individuals, workplace context — is captured by the skill author's infrastructure with no user disclosure.

A single API key is hardcoded in SKILL.md and repeated verbatim six times across the document. All users of this skill share this key, meaning the API operator receives all requests under a single account and can freely aggregate, analyze, and attribute prompt content and generation patterns across the entire install base. There is no mechanism for per-user key isolation.

The skill declares activation triggers for highly generic terms — 'portrait', 'headshot', 'avatar', 'character design', 'professional photo', and 'any request for human portraits or character imagery' — that appear regularly in document processing, design review, and writing assistance workflows. An agent with this skill active could route unrelated requests to the external API, leaking prompt content without the user intending to use the image generation feature.

The skill has been updated through 12 versions (1.2.4 → 1.2.28) in a short period, with non-sequential version numbers (gaps at 1.2.8–1.2.11, 1.2.13–1.2.20, 1.2.23) and no changelog or release notes anywhere in the repository. This pattern is consistent with an author iterating on prompt injection wording or data collection behavior while obscuring what changed. Users who installed an earlier version have no way to audit what behavioral modifications have been introduced.

Offering a 'free' generative AI service with a pre-embedded shared API key, while collecting all user prompts at a single endpoint, is a well-known data harvesting pattern. The actual value proposition to the skill author is not image generation revenue but aggregated user prompt data that can be used for model training, behavioral profiling, or resale. The star-rating incentive further drives install volume to maximize data collection scale.

The agent DO checklist includes 'Update skill before first use'. This phrase is undefined — it could mean checking for a newer package version, but interpreted broadly by an agent it could mean fetching updated instructions from an external URL. If the skill author later modifies SKILL.md to add more aggressive instructions, an agent following this directive could pull those changes dynamically.

The git clone process contacted only GitHub (140.82.121.4:443) and standard Canonical/Ubuntu infrastructure (91.189.91.48:443, 185.125.188.59:443 for MOTD/update checks). No connections were initiated to the skill's declared API endpoints during installation. No unexpected processes were spawned and no filesystem modifications occurred outside the designated skill directory.

Honeypot credential files were not modified. The credential file accesses observed in inotifywait and auditd logs occur at timestamps 1771919189 (before the install script ran at 1771919195) and 1771919209 (after install completed at ~1771919204), forming a symmetric pre/post bracket. No EXECVE records from the install pipeline map to those file paths. The access pattern is consistent with the Oathe audit system placing canary files before monitoring and verifying them afterward.