DrawThings Image Generation
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You may need to install a Python package before using the skill.
The skill relies on an external Python package and tells the user how to install it manually. This is normal for an API client, but the dependency is not bundled or pinned in the artifacts.
try:
import requests
except ImportError:
print("Error: requests library not found. Install with: pip3 install requests", file=sys.stderr)Install dependencies only from trusted package sources, preferably in a dedicated Python environment.
If configured to a remote or untrusted API URL, your image prompts and settings could leave your machine.
Prompts and generation settings are sent to the configured API URL. The default is localhost and matches the skill purpose, but changing the URL could send prompt contents to another server.
api_url = os.environ.get("DRAWTHINGS_URL", "http://127.0.0.1:7860")
endpoint = f"{api_url.rstrip('/')}/sdapi/v1/txt2img"
...
response = requests.post(endpoint, json=payload, timeout=300)Use the default localhost DrawThings URL or another server you trust, and avoid putting sensitive information in prompts sent to remote endpoints.
Generated-image prompts and parameters may remain in local files after generation.
The script writes a JSON sidecar file containing the prompt and generation metadata. This is disclosed and useful for reproducibility, but it persists prompt text on disk.
info_data = {
"prompt": prompt,
"parameters": info,
"timestamp": timestamp,
"files": saved_paths,
}
info_path.write_text(json.dumps(info_data, indent=2))Avoid including private information in prompts, or delete the generated metadata JSON files when they are no longer needed.