ClawHub

Watercolor Art Generator

v1.0.0

AI watercolor art generator — create stunning watercolor paintings, portraits, and illustrations instantly. Perfect for watercolor portrait commissions, digi...

0· 56·0 current·0 all-time
by@blammectrappora
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description claim an AI watercolor generator and the code + SKILL.md implement a text-to-image request to a Neta/TalesOfAI API (api.talesofai.com). Required inputs (an API token and prompt) match the stated purpose; no unrelated services or credentials are requested.
Instruction Scope
SKILL.md instructs running the included Node script with a --token flag and prompt. The runtime instructions and code only make HTTPS requests to api.talesofai.com and do not read files, system configs, or other environment variables. Note: the skill requires passing the token as a command-line argument which can expose the token to other local users via process listings; the script does not directly read a NETA_TOKEN env var.
Install Mechanism
There is no install spec and only a small JS file is included; nothing is downloaded or written to disk by an installer. This is the lowest-risk installation model.
Credentials
The only secret required is an API token for the stated image service, which is proportionate. However, the token is passed via a CLI flag (or shell expansion) rather than read directly from an environment variable or config file — this can leak the token to other processes/users on the same host. No other credentials or sensitive env vars are requested.
Persistence & Privilege
The skill does not request persistent or elevated presence (always is false), does not modify other skills or system settings, and does not store credentials on disk.
Assessment
This skill appears to be what it claims: a small CLI wrapper that calls the Neta/TalesOfAI image API and returns an image URL. Before installing: (1) note the package source is listed as unknown and there is no homepage — verify the publisher or review the code yourself (the included JS is small and readable). (2) Avoid passing long-lived secrets on the command line on multi-user machines (process listings can expose them); prefer using ephemeral tokens or running in an isolated environment. (3) If you install and use it, consider using an API token you can rotate/revoke and run the script in a sandbox or container if you have concerns about provenance.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ev399tbeyy5eatny2q24619840b2p

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments