Generate and iterate on images using Image Sprout projects. Creates consistent outputs from reference images, style guides, and subject guides. Use when an a...
Security Analysis
medium confidenceThe skill's instructions and required binary match its stated purpose, but it relies on storing an OpenRouter API key on disk while the registry metadata does not declare any required credentials and the source/binary provenance is unclear — this mismatch and the unauthenticated local web UI are worth caution.
Name/description align with needing an image-sprout CLI binary and local project storage; requiring the image-sprout binary is proportionate. However, the SKILL.md expects an OpenRouter API key to be configured, which is not declared in the registry metadata (no required env or primary credential).
Instructions stay within the image-generation scope: creating projects, adding refs, deriving guides, generating runs, and reading returned image paths. The skill explicitly warns about concurrent state and the unauthenticated web UI. It does instruct storing a secret (OpenRouter key) on disk via the CLI config, and it exposes agent patterns for reading app data paths — both expected for a local CLI-based tool.
Instruction-only skill with no install spec; lowest install risk. The binary requirement is limited to 'image-sprout' on PATH, but the registry lacks a homepage/source field even though SKILL.md metadata references a GitHub repo; users should verify binary provenance before installing/running.
SKILL.md requires an OpenRouter API key to be persisted via 'image-sprout config set apiKey', but the registry metadata declares no required environment variables or primary credential. This is an inconsistency: the skill needs a secret but the manifest doesn't enumerate it. Storing an API key on disk (and letting the CLI manage it) is plausible for this tool, but users should understand where it is stored and whether that storage is acceptable.
The skill does not request always:true, requires no config paths in the registry, and is user-invocable only. It does cause the CLI to persist configuration (api key, model selection, current project) to disk, which is expected for a local CLI tool.
Guidance
This skill appears to be a wrapper around a local CLI ('image-sprout') and is mostly coherent, but note two issues: (1) the runtime docs require storing an OpenRouter API key on disk, yet the registry manifest does not declare any required credentials — confirm you are comfortable with how and where the CLI stores that key before using it; (2) the SKILL.md references a GitHub repo but the skill metadata has no homepage/source — verify the 'image-sprout' binary you install comes from the official project (check the GitHub repo and release checksums). Also avoid exposing the web UI to the public internet (the docs explicitly warn it has no authentication). If you want higher assurance, ask the publisher for a release URL, checksums, and an explanation of where config (the API key) is stored and protected.
Latest Release
v1.0.2
- Improved documentation clarifies the core concepts, CLI workflow, and agent usage patterns. - Added detailed instructions for project setup, image guide derivation, and model management. - Highlights the importance of explicit project selection for safe parallel use. - Describes web UI usage, security best practices, and integration with agent workflows. - Outlines best practices for extracting image paths and collaborating with downstream tools.
More by @tmchow
Published by @tmchow on ClawHub
