Picnow — Image Generation
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: picnow Version: 1.0.1 The 'picnow' skill is a legitimate tool for generating and editing images via the Picnow API (api.letmego.top). The bundle consists of a SKILL.md guide and a Node.js script (scripts/generate.js) that handles API requests for text-to-image and image-to-image tasks. It requires a user-provided API key (LETMEGO_API_KEY) and operates as described without any signs of data exfiltration, malicious execution, or prompt injection attacks.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill can consume the user's Picnow/Letmego API quota or balance under their account.
The script uses the user's Letmego API key to authenticate API calls. This is needed for the stated service, but it is still delegated account authority and is under-declared by the registry metadata.
const token = process.env.LETMEGO_API_KEY; ... Authorization: `Bearer ${token}`,Install only if you intend to use Picnow/Letmego, set a dedicated API key if possible, and monitor quota or billing usage.
Reference images or files you provide may leave your machine and be processed by Picnow/Letmego.
When --ref is used, the selected local file is encoded and uploaded to the disclosed Picnow API for image editing. This is purpose-aligned but sends user content to a third-party provider.
const refB64 = await readFileAsBase64(refPath); ... fetch(`${API_BASE}/v1/images/edits`, { method: 'POST', ... body: form })Use reference files only when you are comfortable uploading them, and verify the path before running image-to-image edits.