Filtrix Image Generation
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its image-generation purpose, but its fal.ai edit path disables a provider safety checker while using API keys and uploading selected images to third-party providers.
Install only if you are comfortable with third-party AI providers receiving your prompts and selected images. Set only the API keys you want the agent to use, monitor API costs, and consider removing or changing the fal.ai edit setting that disables safety checking before use.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
fal.ai edits may bypass a provider safeguard and produce or return content the user did not expect to be allowed.
The fal.ai edit request uploads the input image and explicitly disables the provider safety checker. That is not necessary for normal image editing and is not called out in the user-facing setup or usage instructions.
"enable_safety_checker": False,
"enhance_prompt_mode": "standard",
"sync_mode": True,
"image_urls": [data_uri],Do not disable provider safety checking by default. Make any safety-related option explicit, documented, and user-controlled.
Using the skill can consume paid API credits or quota for the configured provider account.
The skill uses user-supplied provider credentials. This is expected for image generation, but it gives the skill authority to spend quota or incur charges on whichever provider key is available.
| OpenAI | `OPENAI_API_KEY` | platform.openai.com | | Gemini | `GOOGLE_API_KEY` | aistudio.google.com | | fal.ai | `FAL_KEY` | fal.ai/dashboard |
Set only the provider keys you intend to use, monitor usage, and ask the agent to confirm provider/model choices for expensive generations.
Sensitive photos or private images provided for editing will be transmitted to an external AI provider.
For image editing, the script reads the selected local image, encodes it, and sends it to the chosen provider API. This is purpose-aligned but means local image content leaves the machine.
img_b64, mime = _read_image_b64(image)
...
{"inlineData": {"mimeType": mime, "data": img_b64}}Only edit images you are comfortable sending to the selected provider, and review that provider's data-retention and privacy terms.
Users have less external provenance information to verify who maintains the code or where updates come from.
The registry metadata does not provide a source repository or homepage, while the skill includes runnable scripts. The included code is reviewable and has no package install step, so this is a provenance note rather than a standalone concern.
Source: unknown Homepage: none ... Code file presence 2 code file(s): scripts/edit.py ... scripts/generate.py
Prefer a published source repository/homepage and complete metadata for credentials and runtime requirements.