Draw Things Image Generation

Security checks across malware telemetry and agentic risk

Overview

This plugin does what it says: it runs the local Draw Things CLI to generate or edit images, with expected local file output and no evidence of exfiltration or deception.

Install this only if you are comfortable letting OpenClaw run your local Draw Things CLI and save generated images under the configured output directory. Consider changing outputDir to a private folder if prompts or edited source images may be sensitive, and keep cliPath pointed at the real Draw Things binary.

SkillSpector

By NVIDIA

Vulnerability Patterns

Behavioral ASTexec() Call, eval() Call, Dynamic Import
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The code writes user-supplied input images to disk in a persistent output directory before invoking the CLI. In an agent context, this can expose sensitive user content to other local users, backup/sync services, or later forensic recovery, especially because there is no visible consent, secure temporary-file handling, or guaranteed cleanup beyond the success path.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: Generated images are written by default to ~/Downloads/draw-things-output, a persistent and user-visible location that may be synced, indexed, or accessible by other local processes. In a skill handling potentially sensitive prompts or edits, silently persisting outputs increases privacy and data-retention risk.

VirusTotal

62/62 vendors flagged this plugin as clean.

View on VirusTotal