Skillv0.1.0

ClawScan security

Image Gen · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 14, 2026, 3:05 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly matches an image-generation purpose but contains inconsistencies (provider vs API key naming), references external shared docs that aren't included, and will create local config/artifacts—you should verify the provider and the LISTENHUB_API_KEY before installing.
Guidance: This skill appears to implement an image-generation flow, but there are a few things to check before installing: 1) Verify the provider and credential: the instructions call api.labnana.com but the required env var is LISTENHUB_API_KEY — ask the author which service the key is for and whether the key is scoped to image generation only. 2) Because the skill will create .listenhub/image-gen/config.json and save images under .listenhub/image-gen/, confirm you are comfortable with those local files and where they will be stored. 3) The skill references several shared docs that weren't included; ask what those are and what they instruct (especially the authentication and config patterns). 4) Provide a limited-scope or test API key first (not high-privilege production keys) until you confirm behavior. 5) If you plan to supply private reference-image URLs, note they will be submitted as fileUri entries in the API request—avoid sending sensitive internal URLs unless you trust the remote API and have confirmed data handling. If the author can clarify the Labnana vs ListenHub naming and supply a homepage or source repository, that would raise confidence.

Review Dimensions

Purpose & Capability: concernThe skill claims to call the Labnana image API (base URL https://api.labnana.com) but requires a credential named LISTENHUB_API_KEY. The mismatch between 'Labnana' and 'ListenHub', plus the lack of homepage or source, is unexplained and could indicate sloppy naming or an incorrect/misleading credential requirement. Otherwise, required capabilities (saving generated images locally, building API requests) are consistent with an image-generation skill.
Instruction Scope: noteThe SKILL.md is detailed and scoped to image generation: it collects parameters via the AskUserQuestion tool, assembles a JSON request, posts to the stated API endpoint, and decodes base64 responses to files. It also mandates reading several shared docs (shared/authentication.md, shared/config-pattern.md, shared/output-mode.md, shared/common-patterns.md) which are not part of the skill bundle—these may be platform-provided, but their absence in the package means the runtime behavior depends on external documentation. The skill will create config files under .listenhub/image-gen and write files to /tmp and .listenhub. It also allows up to 14 external reference image URLs which will be referenced in the API request.
Install Mechanism: okInstruction-only skill with no installation spec and no bundled code. This is the lowest-risk install mechanism because nothing is downloaded or written by an installer. Runtime behavior is driven by SKILL.md instructions.
Credentials: concernThe skill requires a single environment variable LISTENHUB_API_KEY which is plausible for an API-based image generator. However, the declared primaryEnv name (LISTENHUB_API_KEY) does not match the API host (labnana.com) referenced in the instructions. Additionally the runtime also instructs reading a config file for API key checks; it's unclear whether the API key is expected in env, config file, or both. The mismatch and dual source for credentials warrant confirmation before providing secrets.
Persistence & Privilege: noteThe skill is not always-enabled and does not request system-wide privileges. It will create and write configuration and output files under .listenhub/image-gen and temporary files under /tmp; this is reasonable for an image generator but you should expect those local files to be created and stored. The skill does not modify other skills or global settings.