Recraft AI
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a straightforward Recraft image tool, but it uses your Recraft API token and sends selected prompts/images to Recraft, so only use it with media you are comfortable uploading.
Before installing, make sure you trust Recraft with the prompts and images you process, keep your API token private, use a safe output folder, and install uv/dependencies from trusted sources.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using this skill gives it access to their Recraft account token, and the user-info command can expose account email/name/credit information in the agent output.
The script authenticates with a Recraft bearer token and includes a command that can retrieve and print account profile details.
headers = {"Authorization": f"Bearer {token}", "X-Client-Type": "openclaw"} ... make_request("/users/me", token, method="GET") ... print(f" Email: {result.get('email', 'N/A')}")Use a Recraft token you are comfortable delegating to this skill, keep logs/private chats protected, and revoke or rotate the token if it is no longer needed.
Private images or prompts selected for processing will be transmitted to Recraft for generation or editing.
Image-editing commands read a local input file and send it to Recraft's external API, which is expected for this image-processing integration.
BASE_URL = "https://external.api.recraft.ai/v1" ... with open(args.input, "rb") as f: files = {"image": f}Only provide image paths and prompts that are appropriate to share with Recraft, and review Recraft's data handling terms if the media is sensitive.
The skill may download or use a current compatible version of requests rather than a fully pinned, hash-verified dependency set.
The uv-run script declares a non-exact-pinned Python dependency, so installation/runtime dependency resolution depends on the package index state.
# dependencies = [ # "requests>=2.31.0", # ]
Install from trusted sources and consider pinning/locking dependencies in controlled environments.
If an unsafe filename is chosen, the script could overwrite files that the current user account can write.
Generated images are written to the caller-supplied output path, with parent directories created automatically.
output_path.parent.mkdir(parents=True, exist_ok=True) image_data = base64.b64decode(data) output_path.write_bytes(image_data)
Use a dedicated output directory and timestamped filenames, and avoid pointing --filename at important existing files.