Back to plugin

Security audit

Plugin

Security checks across malware telemetry and agentic risk

Overview

The skill's code and manifest match its description: it runs a local draw-things CLI to produce images, reads the output files, and returns them; no credentials or network exfiltration are present, but it does execute a local binary and the package metadata doesn't declare that binary as a required dependency.

This plugin appears to be what it claims: it calls a local 'draw-things' CLI to generate images and returns the image buffers. Before installing: 1) Ensure you trust and have installed the draw-things-cli binary from a reputable source (the plugin does not declare required binaries). 2) Be aware the plugin will execute that local binary (child_process.execFile) — the binary runs with the same user privileges as the agent and can access any files the binary is allowed to. 3) By default it writes outputs to ~/Downloads/draw-things-output (configurable) and can be pointed at a models directory you control; review and configure outputDir, modelsDir, and cliPath to safe locations. 4) The plugin does not send data over the network or require credentials, but you should verify the external CLI you install is trustworthy since any malicious CLI would be invoked by this plugin. If you want reduced exposure, disable the plugin by default or change the output and cli paths before enabling.

VirusTotal

No VirusTotal findings

View on VirusTotal

Static analysis

No suspicious patterns detected.