AI Image Generator & Editor — GPT Image 2, Nanobanana, ComfyUI
PassAudited by VirusTotal on May 13, 2026.
Overview
Type: OpenClaw Skill Name: creative-toolkit Version: 1.0.33 The Creative Toolkit is a legitimate MCP server for AI image generation, routing requests to MeiGen, OpenAI-compatible APIs, or local ComfyUI instances. It handles local file access for reference images and saves output to a designated directory, which is consistent with its stated purpose. The instructions in SKILL.md are designed to prevent LLM hallucinations and ensure user confirmation for multi-image tasks, rather than to subvert security. Security practices like pinning the npm package version (meigen@1.3.1) and recommending restricted file permissions (chmod 600) for config files are explicitly mentioned in the documentation.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill as documented will run external MCP server code from npm.
The runtime depends on an external npm MCP package. It is pinned and disclosed, but the package code itself is not included in the provided artifacts.
"command": "npx", "args": ["-y", "meigen@1.3.1"]
Use this only if you trust the package and publisher; verify the npm/GitHub source and keep the version pinned.
A leaked or misused token could consume credits or access the configured provider account.
The skill uses provider credentials for paid or account-backed image generation. This is expected for the purpose, but it grants access to external provider accounts.
To unlock image generation, configure one of these providers: `MEIGEN_API_TOKEN`, `openaiApiKey` + `openaiBaseUrl` + `openaiModel`
Use least-privileged API keys where possible, store them only in local config/env files, and revoke keys if you stop using the skill.
Images you choose as references may be sent to a cloud provider unless you are using the local ComfyUI path.
The tool can read user-specified local reference images and provide them to the configured image provider. The artifacts describe this as user-initiated and purpose-aligned.
Pass local file paths directly in `referenceImages` — images are auto-compressed locally ... and prepared for the selected provider.
Only pass files you intend to share with the selected provider, and use local ComfyUI for images that should stay on-device.
Mistaken tool use could alter or remove workflow templates you rely on.
The skill can mutate or delete local ComfyUI workflow templates. This matches the stated workflow-management purpose but is a local data-changing capability.
`comfyui_workflow` | List, view, import, modify, and delete ComfyUI workflow templates.
Back up important ComfyUI workflows and confirm destructive workflow actions before running them.
Saved preferences or style notes may affect future outputs and could reveal creative preferences if the local config is shared.
The skill can persist user preferences that may influence later image-generation tasks. This is disclosed and aligned with customization.
`manage_preferences` | Save and load user preferences (default style, aspect ratio, style notes, favorite prompts).
Avoid saving sensitive notes as preferences and clear or edit saved preferences when they are no longer desired.