bailian-image-gen Security Report — Trusted | ClawSafe

5 /100

bailian-image-gen

Alibaba Cloud Bailian Qwen Image 2.0 image generation with ComfyUI integration

Alibaba Cloud Bailian image generation skill with legitimate API integration, no malicious behavior detected.

Skill Namebailian-image-gen

Duration28.2s

Enginepi

✓

Safe to install

This skill is safe to use. No security concerns identified.

Findings 1 items

Severity	Finding	Location
Low	Dependencies not version-pinned Supply Chain requirements.txt uses loose versioning (requests>=2.28.0, Pillow>=9.0.0) without upper bounds `requests>=2.28.0 Pillow>=9.0.0` → Consider pinning exact versions or using compatible release specifiers to prevent unexpected updates	`requirements.txt:1`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`READ`	✓ Aligned	Line 62-63 in bailian_image_gen.py reads .env; Image.open() reads images
Filesystem	`WRITE`	`WRITE`	✓ Aligned	download_image() writes output files (bailian_image_gen.py:130)
Network	`READ`	`WRITE`	✓ Aligned	requests.post() to dashscope.aliyuncs.com API (bailian_image_gen.py:73)
Environment	`READ`	`READ`	✓ Aligned	os.environ.get('DASHSCOPE_API_KEY') is standard credential access
Shell	`NONE`	`NONE`	—	No subprocess or shell execution found

1 findings

🔗

Medium External URL 外部 URL

https://dashscope.aliyuncs.com/api/v1

scripts/bailian_image_gen.py:36

5 files · 23.0 KB · 728 lines

Python 2f · 419L Markdown 1f · 196L JSON 1f · 111L Text 1f · 2L

├─ ▾ 📁 assets

│ └─ 📋 comfyui_workflow.json JSON 111L · 2.4 KB

├─ ▾ 📁 scripts

│ ├─ 🐍 bailian_image_gen.py Python 219L · 8.2 KB

│ └─ 🐍 comfyui_bailian_node.py Python 200L · 6.7 KB

├─ 📄 requirements.txt Text 2L · 31 B

└─ 📝 SKILL.md Markdown 196L · 5.6 KB

Package	Version	Source	Known Vulns	Notes
`requests`	`>=2.28.0`	pip	No	Version not pinned
`Pillow`	`>=9.0.0`	pip	No	Version not pinned

✓ No shell or subprocess execution - uses only HTTP API calls

✓ API key is only sent to legitimate Alibaba Cloud endpoint (dashscope.aliyuncs.com)

✓ base64 encoding is standard practice for image API requests, not obfuscation

✓ No credential harvesting or exfiltration - key used only for authentication

✓ No hidden functionality - all behavior matches documentation

✓ No suspicious network patterns - only connects to documented API endpoint

✓ Clean code structure with proper error handling

✓ Environment variable loading follows standard Python practices