ClawHub

Generate images using Runware API

v1.0.0

Generate high-quality images on-demand via the Runware.ai API. This skill is the default image generator. Use it whenever the user asks to "generate an image...

0· 487·0 current·0 all-time
by@geeklord
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The repository contents (Python CLI script calling https://api.runware.ai/v1/tasks) match the stated purpose of generating images via Runware. However, the registry metadata declares no required environment variables or primary credential while the script clearly requires a RUNWARE_API_KEY. Several documentation claims conflict with the code (e.g., SKILL.md says images save to the user's Downloads folder by default, but the code defaults to a configurable default_output_dir and README refers to ~/runware_images). These mismatches are incoherent and should be clarified.
!
Instruction Scope
SKILL.md instructs the agent to 'Do NOT ask the user for the RUNWARE_API_KEY' and to 'Execute the script directly' without clarifying questions in most cases. The code, however, will prompt interactively for the API key if none is in the environment and enforces a prompt safety check that may abort generation (e.g., referencing teen/minor words). The instructions therefore overrule or contradict the script behavior and give the agent broad discretion to run the CLI immediately—this is risky and not fully consistent.
Install Mechanism
There is no install spec; this is essentially an instruction + included script bundle. Dependencies are minimal and declared in requirements.txt (requests, python-dotenv, pytest). No external downloads or obscure install URLs are used.
!
Credentials
The skill requires a Runware API key at runtime (RUNWARE_API_KEY) but the registry metadata lists no required env vars or primary credential—this is an important mismatch. The code loads .env from the skill directory and will also prompt for the key if absent; tests include an integration test gated on RUNWARE_API_KEY. The skill therefore needs a secret to function, and the documentation/inventory should declare that explicitly.
Persistence & Privilege
The skill does not request always:true and does not alter other skills. It does write to its own skill-config.json to persist last_output_dir and will create directories and write image files to the filesystem (default configurable path). This file-system persistence is expected for an image-saving CLI but note it will create and update files in the skill directory and create user output directories.
What to consider before installing
This skill appears to be a legitimate Runware image CLI, but there are several things to check before installing or allowing it to run autonomously: - RUNWARE_API_KEY is required at runtime but the registry metadata does not declare any required env vars. Provide the key securely (environment variable or secret manager) and do not store it in the repo. Verify the agent will not accidentally log or transmit the key elsewhere. - SKILL.md instructs agents to never ask for the API key and to execute the script immediately; the script will prompt for a key if missing. Decide whether you want the agent to run the CLI without clarifying questions—this could cause undesired generations. If unsure, disable autonomous invocation or require explicit user consent before running. - There are conflicting statements about default save location (SKILL.md says Downloads; README and code use default_output_dir ~/runware_images and the skill writes last_output_dir to skill-config.json). Confirm and, if desired, change the default output path in skill-config.json to a safe location, and be aware the script will persist last_output_dir by writing to the skill's config file. - The prompt safety check is simple string matching (e.g., blocks 'teen', '13', etc.). This is a basic filter and not a substitute for policy review—inspect validate_prompt if you need stricter or different behavior. - Review the code yourself (generate_image.py) to ensure there are no additional endpoints or telemetry, and run tests locally (pytest). The project has no external install URLs and uses common Python libs, which reduces supply-chain risk. If you are comfortable with an agent invoking a local script that will read a .env in the skill directory and write image files to disk, and you will provide RUNWARE_API_KEY via a secure mechanism, the inconsistencies appear to be sloppy documentation rather than malicious behavior. If you need autonomous generation to be tightly controlled, require explicit user approval before the skill executes or correct the metadata and SKILL.md so behavior matches exactly.

Like a lobster shell, security has layers — review code before you run it.

latestvk9755cqb477j1g50nsqq8v566h8170bz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments