Fal Text-to-Image
v0.1.0Generate, remix, and edit images using fal.ai's AI models. Supports text-to-image generation, image-to-image remixing, and targeted inpainting/editing.
⭐ 1· 1.9k·3 current·3 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (fal.ai text-to-image) match the documented behavior (calling fal.ai models). However the SKILL.md and README repeatedly instruct running local scripts (fal-text-to-image, fal-image-remix, fal-image-edit) that are listed in the README file structure but are not present in the manifest. That mismatch (documentation expecting local scripts while the package contains only docs and a pyproject) is inconsistent and may mean the skill is non-functional or relies on fetching/creating code at runtime.
Instruction Scope
The runtime instructions stay within the stated purpose (generation/remix/editing) but they also instruct the user/agent to set an API key (FAL_KEY), create a .env in the skill directory, write outputs/ files, and embed metadata in EXIF. Those actions are reasonable for a client, but the instructions also assume executing local Python CLI scripts that do not exist in the bundle — granting the agent discretion to fetch or run missing code would broaden scope. No instructions request unrelated system files, but storing credentials in a skill directory is a potential leak.
Install Mechanism
There is no install spec (instruction-only), which limits what is written to disk by the skill itself. The pyproject.toml lists plausible dependencies (fal-client, python-dotenv, pillow, click, requests). Because no code files are present, it's unclear how those dependencies or the referenced scripts would be installed/used in practice; lack of an explicit install step reduces installer risk but increases ambiguity about runtime behavior.
Credentials
The metadata declares no required environment variables or primary credential, yet the SKILL.md and README explicitly instruct users to set FAL_KEY (the fal.ai API key) or create a .env with FAL_KEY. This is an incoherence: the skill clearly needs an API key to contact fal.ai, but the registry metadata does not declare it. Additionally, instructions encourage creating a .env in the skill directory (plaintext storage), which is a potential secret-exposure vector if that directory is shared or backed up.
Persistence & Privilege
The skill does not request always: true and has no declared system-wide privileges. It is user-invocable and allows model invocation (defaults), which is normal. There is no evidence it modifies other skills or global agent settings.
What to consider before installing
Do not install or run this skill until these inconsistencies are resolved. Specifically: (1) Confirm the package actually includes the Python CLI scripts the README/SKILL.md reference — if they are missing, ask the publisher why and avoid running any ad-hoc fetch/install. (2) Treat the fal.ai API key (FAL_KEY) as a secret: do not store it in a plaintext .env in a shared repo or project directory; prefer platform secret storage or environment-scoped variables. (3) Verify the skill registry metadata is updated to list FAL_KEY as a required credential so you know what will be used. (4) If you proceed, run in an isolated environment (container or VM), review any fetched code before execution, restrict the API key's permissions and monitor usage, and be prepared to rotate the key if unexpected network activity appears. These steps reduce the risk from the missing/declarative code and the undocumented credential requirement.Like a lobster shell, security has layers — review code before you run it.
latestvk975jh6jxynv7xgkbgz3kjac5980m6ap
License
MIT-0
Free to use, modify, and redistribute. No attribution required.