Snap Illustrator

What to consider before installing: - The core code (scripts/generate.mjs) is small and implements the advertised behavior: it tries Pollinations (unauthenticated) and falls back to HuggingFace if an HF token is available. - However, the registry metadata declaring HF_TOKEN as required is inconsistent with the SKILL.md's zero‑config promise — don't assume you must supply a token to use the skill. - The runtime instructions tell the agent to edit the skill's SKILL.md to store an HTTP proxy and to reuse it automatically later. Be cautious: this persists configuration into the skill bundle and enables future automatic behavior without explicit per‑run consent. - If asked for a HuggingFace token, only provide it if you trust the skill and understand that the script will use it to call HuggingFace APIs; avoid pasting secrets into chat. Prefer to run the Node script yourself locally so you control where tokens are stored. - If you install: (1) review/approve any changes before the skill edits files, (2) verify that the skill will not store your token unencrypted in global config unless you explicitly ask, and (3) consider running the included script manually in a sandboxed environment to verify outputs first. - If you want to proceed, ask the author to remove HF_TOKEN from the 'required' metadata (make it optional/fallback) and to stop recommending editing SKILL.md for proxy storage; store per‑user proxy settings in a clearly scoped config with explicit user consent instead.

These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.