Community code plugin. Review compatibility and verification before install.
Latest release: v1.1.5Download zip
Capabilities
Compatibility
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The plugin implements a local image-generation provider that executes a CLI (execFile of cliPath, default 'draw-things-cli') and reads generated images from disk — this is coherent with the declared purpose. Minor mismatch: registry metadata lists no required binaries even though the plugin clearly expects a draw-things CLI binary (configSchema.cliPath). Users must install that external CLI for the plugin to work.
Instruction Scope
Runtime code (src/index.ts / dist/index.js) stays within the stated scope: it constructs CLI args, creates an output directory (default under the user's home Downloads), runs the CLI, checks output, and reads the generated image files. There are no instructions to read unrelated system files, exfiltrate data, or contact external endpoints.
Install Mechanism
No install spec is provided (instruction-only in terms of installation), and the shipped source/dist files are plain JS/TS. No downloads from arbitrary URLs or archive extraction. Risk from install is low — the plugin will run inside Node and expects the user to provide the external CLI binary separately.
Credentials
The skill requests no environment variables or credentials. Config options (cliPath, modelsDir, outputDir, defaultModel, etc.) are appropriate for a local CLI-based image generator. There are no hidden env reads in the code.
Persistence & Privilege
The plugin manifest sets enabledByDefault: true (openclaw.plugin.json), which means it may be enabled for users unless they disable it. always: false and no special privileges are requested. Note: being enabled by default increases visibility/availability but is not the same as always:true.
Assessment
This plugin appears to be what it claims: it calls a local 'draw-things' CLI to generate images and returns the image buffers. Before installing: 1) Ensure you trust and have installed the draw-things-cli binary from a reputable source (the plugin does not declare required binaries). 2) Be aware the plugin will execute that local binary (child_process.execFile) — the binary runs with the same user privileges as the agent and can access any files the binary is allowed to. 3) By default it writes outputs to ~/Downloads/draw-things-output (configurable) and can be pointed at a models directory you control; review and configure outputDir, modelsDir, and cliPath to safe locations. 4) The plugin does not send data over the network or require credentials, but you should verify the external CLI you install is trustworthy since any malicious CLI would be invoked by this plugin. If you want reduced exposure, disable the plugin by default or change the output and cli paths before enabling.