Fal Text-to-Image
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the documented commands may install or use third-party Python packages needed for image generation.
The documented workflow may resolve packages at run time, and the dependencies are lower-bound rather than locked. These packages are expected for a fal.ai image tool, but users should be aware of the dependency/provenance surface.
README: "uv handles dependencies automatically"; pyproject: "fal-client>=0.5.0", "python-dotenv>=1.0.0", "pillow>=10.0.0", "click>=8.1.0", "requests>=2.31.0"
Install from a trusted source, review dependency versions if reproducibility matters, and consider using a lockfile or controlled Python environment.
The skill can make requests against the user's fal.ai account and may incur usage charges depending on the selected model.
The skill requires a fal.ai API key and can use paid models. This is expected for the stated service integration, but it is a credential and billing-capable account authority that users should notice.
Set environment variable: `export FAL_KEY="your-api-key-here"` ... "Premium: flux-pro models charged per megapixel"
Use a dedicated fal.ai key if possible, monitor usage in the fal.ai dashboard, and avoid sharing the key in prompts or checked-in files.
Prompts, reference images, source images, and masks may be processed by fal.ai rather than staying purely local.
The workflow uses an external provider and accepts local image paths or URLs for remix/edit tasks. Sending images and prompts to fal.ai is purpose-aligned, but users should treat it as a third-party data flow.
"generate, remix, and edit using fal.ai's state-of-the-art models" ... "INPUT_IMAGE Path or URL to source image"
Do not use private, regulated, or sensitive images unless fal.ai's terms and retention practices are acceptable for that data.
If generated images are shared, hidden metadata may reveal prompts, model choices, seeds, or other generation details.
The skill documents persistent embedding of prompts and parameters in generated image files. This is disclosed and useful for reproducibility, but it can preserve sensitive prompt details.
"Metadata Embedding: Stores prompt and generation parameters in image EXIF" ... "Embedded metadata (prompt, model, parameters)"
Avoid including secrets or sensitive details in prompts, and strip image metadata before publishing or sharing externally.