image-gen

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). 该 Skill 的示例和配置说明要求将 API Key 明文作为命令行参数（--api-key ak_...）、环境变量或写入配置文件，意味着代理/输出可能需要包含或传递密钥明文，存在高风险凭据外泄。

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I inspected the repository and found a hardcoded API key in assets/imagegen.py:

PUBLIC_API_KEY = "ak_b45b6a6881f4400fb321428947eb6661"

This is a high-entropy literal (looks like a real token, not a placeholder such as "YOUR_API_KEY" or "ak_你的密钥") and is directly returned/used by get_api_key() and included in request headers. It therefore qualifies as a secret under the defined rules.

Other strings in the docs (environment variable names like REDFOX_API_KEY, example commands, simple/example passwords, and URLs) are documentation placeholders or non-secret values and are ignored per the guidelines.