ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Drawthings Agent

v0.1.1

Generate images using Draw Things app via dt-skill CLI or MCP

1· 107·0 current·0 all-time
by@mijuu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (generate images via Draw Things) matches the SKILL.md: it documents using an MCP tool `generate_image` or the `dt-skill` CLI and parameters for generation, models, upscaling, timeouts, etc. Requesting model and server binary paths is coherent for a local image-generation tool.
Instruction Scope
Instructions are specific and constrained to image generation (prompts, upscales, dimensions, model selection, timeouts). However, the skill mandates running `npm install -g @mijuu/drawthings` if the CLI is missing and asks the agent to request local file paths and to change Draw Things settings (disable FPY), which are system-level user actions beyond pure prompting.
!
Install Mechanism
There is no formal install spec, but the runtime instructions require a global npm install of `@mijuu/drawthings`. A global npm installation modifies the host environment and pulls code from the public registry; the skill metadata provides no homepage or source to verify the package. Installing packages globally without a verified source is a non-trivial risk.
Credentials
The skill declares no environment variables, no credentials, and no config paths. Asking for model and server binary paths is consistent with operating a local model server and does not request unrelated secrets.
Persistence & Privilege
The skill is not flagged with always:true, does not request permanent presence, and contains no instructions to modify other skills or system-wide agent config. The primary privilege concern is the suggested global npm install, which affects the system but is not an automatic persistence privilege.
What to consider before installing
This skill appears to do what it says (drive a Draw Things CLI or MCP), but take these precautions before following its setup steps: 1) Do not blindly run `npm install -g @mijuu/drawthings`. Verify the package on the npm registry (author, maintainers, version history) and inspect its source repository before installing. Prefer a local or isolated install (no -g) or run inside a sandbox/container if possible. 2) The skill will ask you for local model and server binary paths—only provide paths you trust; model files can be large and may contain sensitive or copyrighted material. 3) The SKILL.md tells you to change Draw Things settings (disable Response Compression FPY); understand what that setting does before changing it. 4) If you want lower risk, ask the skill author for a homepage, source repo, or signed package; if available and trusted, that would move this evaluation toward benign. 5) Because the skill suggests installing third-party code and changing system settings, treat it as potentially risky: review the package contents or run the tool in an isolated environment before giving the agent permission to perform these actions.

Like a lobster shell, security has layers — review code before you run it.

latestvk975nqmm7j6spwq1jz0pk4q66s83grpb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments