Generate images using Runware API
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a straightforward Runware image-generation skill, but it uses a Runware API key, sends prompts to Runware, and saves files locally.
Before installing, make sure you are comfortable providing a Runware API key, sending image prompts to Runware, possibly using Runware credits, and saving generated files locally. Consider pinning dependencies and editing skill-config.json to remove or replace the packaged last_output_dir.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill requires trusting it with a Runware API key, and requests may consume the user's Runware account quota or credits.
The skill uses the user's Runware API key as a bearer token to call the Runware API. This is expected for an image-generation integration, but it is still account-level credential use.
v = os.getenv("RUNWARE_API_KEY") ... "Authorization": f"Bearer {api_key}"Use a dedicated Runware key if possible, store it in .env or a secret manager, and revoke or rotate it if you stop using the skill.
Any private or sensitive details included in prompts may be processed by Runware.
The user's image prompt is included in the payload sent to Runware's external API. This is central to the skill's purpose and is disclosed, but it means prompt contents leave the local environment.
url = "https://api.runware.ai/v1/tasks" ... "positivePrompt": prompt
Avoid putting confidential information in image prompts and review Runware's terms and privacy policy before use.
A normal image request may immediately call Runware and save a file, potentially using API credits.
The skill instructs the agent to run the image-generation script directly for user image requests. This matches the skill purpose, but it reduces extra confirmation before an external API call and local file write.
**Do NOT ask clarifying questions** ... use your best judgment for the prompt and run the script immediately. ... **Execute the script directly.**
Install this only if you want Runware to be used automatically for image-generation requests; ask the agent for confirmation first if cost or output location matters.
Future dependency updates could change behavior or introduce vulnerabilities outside this skill's code.
The dependency list uses a minimum version for requests/pytest and no version pin for python-dotenv. This is common for small Python tools, but it leaves future installs dependent on whatever package versions are current.
requests>=2.28.0 python-dotenv pytest>=7.0.0
Prefer pinned versions or a lockfile when installing in a sensitive environment.
Generated images may be saved to a remembered or publisher-specific path rather than the documented default until the config is changed.
The packaged config includes a persisted output directory value, and the script later reads and updates this field. It is not a secret, but it is persistent state that can affect where images are saved.
"last_output_dir": "H:\\Downloads\\runware_images"
Review skill-config.json before first use and clear or set last_output_dir to your preferred output directory.