Pindou Skill
PassAudited by VirusTotal on May 8, 2026.
Overview
Type: OpenClaw Skill Name: pindou-skill Version: 0.1.0 The pindou-skill bundle is a legitimate tool for generating Perler bead (pindou) patterns from images or text descriptions. The pipeline involves image generation via OpenAI-compatible APIs, grid detection using OpenCV, and color quantization using Lab/CIEDE2000 color space metrics. All scripts (edit.py, generate.py, extract_svg.py, etc.) perform their stated functions using standard libraries like NumPy, SciPy, and Pillow. While the scripts default to a third-party API relay (api.bianxie.ai), this is a common practice for accessing models in certain regions and does not constitute malicious behavior. No evidence of data exfiltration, credential theft, or harmful prompt injection was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the key is stored in a file, anyone or any backup/system with access to that file could potentially use the image API account or incur charges.
The skill needs an image API credential and recommends storing it in script files. That is aligned with the image-generation purpose, but it is a sensitive billing/account credential.
API key / endpoint 配置:`scripts/edit.py` 和 `scripts/generate.py` 顶部的 `API_KEY` 和 `BASE_URL` 直接写在文件里,默认走 `https://api.bianxie.ai/v1`
Prefer environment variables or a local secrets manager where possible, use a limited-scope/low-balance API key, and avoid committing or sharing modified script files containing real keys.
User photos and prompts may leave the local machine and be processed by the selected external provider or relay.
For photo-based workflows, the script opens the user image and sends it with the prompt to the configured OpenAI-compatible image-edit endpoint, defaulting to bianxie.ai.
DEFAULT_BASE_URL = "https://api.bianxie.ai/v1" ... kwargs = dict(... image=files, prompt=args.prompt, ...) ... resp = client.images.edit(**kwargs)
Do not use private or sensitive photos unless you are comfortable with the chosen provider; review the provider’s privacy/billing terms and switch the endpoint to an official or trusted service if preferred.
Installing unpinned packages can make future installs less reproducible and carries normal third-party package supply-chain risk.
The setup uses PyPI packages without pinned versions other than numpy<2. This is normal for a Python image-processing skill, but package contents can change over time.
pip install openai opencv-python-headless "numpy<2" scipy scikit-image pandas pillow
Install in a virtual environment, consider pinning exact versions after a known-good install, and use trusted package indexes.