Back to skill
Skillv1.0.0
ClawScan security
Stability Ai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousFeb 12, 2026, 11:29 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's code and runtime instructions mostly match its declared purpose (calling Stability AI), but there are several inconsistencies (undeclared required env var, mismatched script path, and vague 'auto-dependencies' behavior) that deserve clarification before installing.
- Guidance
- What to check before installing: 1) The SKILL.md and generate.py require STABILITY_API_KEY (and optionally API_HOST) but the registry metadata doesn't declare any required env vars — ask the publisher to correct that. 2) Verify where you'll store the API key (.env is plaintext) and consider using a limited-scope key or dedicated account. 3) Confirm how dependencies are installed — SKILL.md promises auto-install but no install script is provided; prefer explicit install steps or run in an isolated virtualenv/container. 4) Note the SKILL.md calls scripts/generate but only scripts/core/generate.py exists — ask whether a wrapper is missing. 5) Review the code yourself (or in a sandbox) to confirm there are no unexpected network endpoints or secret exfiltration — the script appears to call only the configured API_HOST and no other external hosts. 6) If uncertain about the publisher (source/homepage unknown), run this skill in an isolated environment and avoid using high-value API keys until you verify behavior.
Review Dimensions
- Purpose & Capability
- concernThe skill purpose (call Stability AI to generate images) aligns with the included Python script which posts to stability.ai endpoints. However the registry metadata claims no required environment variables or primary credential while the SKILL.md and generate.py clearly require STABILITY_API_KEY (and optionally API_HOST). That metadata mismatch is a meaningful coherence issue.
- Instruction Scope
- noteSKILL.md instructs creating a .env with STABILITY_API_KEY and running scripts/generate. The runtime instructions stay within image-generation scope and the script only uses STABILITY_API_KEY and optional API_HOST. Note: the SKILL.md suggests dependencies are 'automatically handled on first run' despite no install spec; also it tells users to store secrets in .env (a common but plaintext approach).
- Install Mechanism
- noteThere is no install spec (lowest install surface). A requirements.txt lists requests, python-dotenv, pillow which is reasonable. The SKILL.md's claim that dependencies will be auto-handled is vague — no installer script or manifest entry is provided, so behavior on first run is unclear.
- Credentials
- concernOnly STABILITY_API_KEY (and optional API_HOST) appear in code — appropriate for a Stability AI client. The concern is that the registry metadata does not declare these required env vars or a primary credential, which is an inconsistency that could mislead users about what secrets are needed or stored.
- Persistence & Privilege
- noteThe skill does not request persistent platform privileges or 'always' inclusion. It writes generated images and metadata to disk and performs an auto-cleanup of older files (keeps last 20). Also SKILL.md's example CLI uses scripts/generate but the repository only contains scripts/core/generate.py — there is a path/usage mismatch to clarify. No evidence of modifying other skills or system-wide config.