Picture it!
v1.0.5Generate and edit images from the CLI using picture-it. Use this skill whenever the user asks to create, edit, or manipulate images — blog headers, social ca...
⭐ 1· 54·0 current·0 all-time
byGeon George@geongeorge
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the declared requirements: picture-it CLI and Node are required and FAL_KEY is needed for AI-backed operations. The declared config path (~/.picture-it/config.json) and FAL network usage align with the stated purpose.
Instruction Scope
SKILL.md stays on-task and gives detailed, prescriptive CLI workflows. It explicitly documents which commands send images to fal.ai (generate, edit, remove-bg, upscale) and which are local-only. This is appropriate, but important: user images and prompts will be uploaded to fal.ai by those commands and cost money. No instructions appear to request unrelated system files or credentials.
Install Mechanism
The skill bundle itself is instruction-only (no install spec in registry), which is low-risk. The SKILL.md recommends installing picture-it via npm (public registry). That is a normal install path, but npm packages execute code on install — users should verify the package and GitHub source before installing globally. Minor inconsistency: registry metadata listed 'No install spec' while SKILL.md includes an 'openclaw.install' block recommending npm.
Credentials
Only one credential is requested (FAL_KEY), which is proportionate for a tool that calls fal.ai. The skill documents using either environment variable or CLI config (~/.picture-it/config.json with 0600). There are no unrelated secrets requested.
Persistence & Privilege
always:false and standard agent invocation settings are used. The skill does not request system-wide modifications or other skills' credentials. Storing auth in the tool's own config file is expected behavior.
Assessment
This skill appears to do what it says: it runs the picture-it CLI and uses your FAL API key to call fal.ai for generation/editing. Before installing or using it: 1) Confirm the npm package and GitHub repo (https://github.com/geongeorge/picture-it and npm package name) to ensure the code is what you expect; review the package source if you plan to install globally. 2) Understand that generate/edit/remove-bg/upscale will upload user images and prompts to fal.ai and will incur costs; read fal.ai's privacy/retention policy and consider using an API key with limited scope or an expendable key. 3) Prefer storing FAL_KEY in your platform's secret manager rather than pasting into chat; if using CLI auth, the config file is stored at ~/.picture-it/config.json (SKILL.md recommends 0600). 4) Because SKILL.md suggests npm install -g, be aware npm installs can run install scripts — consider installing in an isolated environment or reviewing package scripts first. 5) If you need stricter guarantees about data residency or non-exfiltration, do not use the FAL-backed commands; local-only commands (crop, grade, compose, text) run offline. Overall: coherent and expected behavior, but verify package origin and accept that image uploads and billing are part of its operation.Like a lobster shell, security has layers — review code before you run it.
latestvk97far1f85n39695dxfjjyzkqn849fx1
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binsnode, picture-it
EnvFAL_KEY
Config~/.picture-it/config.json
Primary envFAL_KEY