Pindou Skill
PassAudited by ClawScan on May 8, 2026.
Overview
This skill appears to do what it says—turn images or text into printable bead patterns—but it requires Python package installs, an image API key, and sending photos/prompts to an external image service.
The skill is coherent and purpose-aligned. Before installing, use a virtual environment, protect any API key you configure, review the bianxie/OpenAI-compatible endpoint you choose, and avoid using sensitive personal photos unless you are comfortable sending them to that provider.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the key is stored in a file, anyone or any backup/system with access to that file could potentially use the image API account or incur charges.
The skill needs an image API credential and recommends storing it in script files. That is aligned with the image-generation purpose, but it is a sensitive billing/account credential.
API key / endpoint 配置:`scripts/edit.py` 和 `scripts/generate.py` 顶部的 `API_KEY` 和 `BASE_URL` 直接写在文件里,默认走 `https://api.bianxie.ai/v1`
Prefer environment variables or a local secrets manager where possible, use a limited-scope/low-balance API key, and avoid committing or sharing modified script files containing real keys.
User photos and prompts may leave the local machine and be processed by the selected external provider or relay.
For photo-based workflows, the script opens the user image and sends it with the prompt to the configured OpenAI-compatible image-edit endpoint, defaulting to bianxie.ai.
DEFAULT_BASE_URL = "https://api.bianxie.ai/v1" ... kwargs = dict(... image=files, prompt=args.prompt, ...) ... resp = client.images.edit(**kwargs)
Do not use private or sensitive photos unless you are comfortable with the chosen provider; review the provider’s privacy/billing terms and switch the endpoint to an official or trusted service if preferred.
Installing unpinned packages can make future installs less reproducible and carries normal third-party package supply-chain risk.
The setup uses PyPI packages without pinned versions other than numpy<2. This is normal for a Python image-processing skill, but package contents can change over time.
pip install openai opencv-python-headless "numpy<2" scipy scikit-image pandas pillow
Install in a virtual environment, consider pinning exact versions after a known-good install, and use trusted package indexes.