DrawThings Image Generation
PassAudited by ClawScan on May 1, 2026.
Overview
This skill appears to be a coherent local DrawThings image-generation helper, with only expected API, dependency, and local-output considerations.
This skill looks safe for its stated purpose. Before installing, make sure DrawThings is running locally or that DRAWTHINGS_URL points to a server you trust, install the Python requests dependency from a trusted source if needed, and remember that prompts may be saved in local metadata files.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You may need to install a Python package before using the skill.
The skill relies on an external Python package and tells the user how to install it manually. This is normal for an API client, but the dependency is not bundled or pinned in the artifacts.
try:
import requests
except ImportError:
print("Error: requests library not found. Install with: pip3 install requests", file=sys.stderr)Install dependencies only from trusted package sources, preferably in a dedicated Python environment.
If configured to a remote or untrusted API URL, your image prompts and settings could leave your machine.
Prompts and generation settings are sent to the configured API URL. The default is localhost and matches the skill purpose, but changing the URL could send prompt contents to another server.
api_url = os.environ.get("DRAWTHINGS_URL", "http://127.0.0.1:7860")
endpoint = f"{api_url.rstrip('/')}/sdapi/v1/txt2img"
...
response = requests.post(endpoint, json=payload, timeout=300)Use the default localhost DrawThings URL or another server you trust, and avoid putting sensitive information in prompts sent to remote endpoints.
Generated-image prompts and parameters may remain in local files after generation.
The script writes a JSON sidecar file containing the prompt and generation metadata. This is disclosed and useful for reproducibility, but it persists prompt text on disk.
info_data = {
"prompt": prompt,
"parameters": info,
"timestamp": timestamp,
"files": saved_paths,
}
info_path.write_text(json.dumps(info_data, indent=2))Avoid including private information in prompts, or delete the generated metadata JSON files when they are no longer needed.