ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Blog Image Claw Skill

Generate blog image claw images using the Neta AI API. Returns a direct image URL.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 165 · 0 current installs · 0 all-time installs
by@barbaraledbettergq
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (generate blog images via Neta) matches the code and README: the script submits a job to a Neta/TalesofAI API and polls for an image URL. However the registry metadata claims no required env vars/config paths while the code and docs require a NETA_TOKEN and may honor NETA_API_URL — the metadata omission is inconsistent.
Instruction Scope
SKILL.md and README clearly instruct running node blogimageclaw.js and describe supplying NETA_TOKEN via env var or --token. The runtime instructions and code are scoped to generating images and polling for results. The script does read the user's ~/.openclaw/workspace/.env and ~/developer/clawhouse/.env looking for a NETA_TOKEN; this is documented in README but is broader than simply reading an environment variable.
Install Mechanism
No install spec or third-party downloads are included; the package is instruction-only with a local JS file. There is no remote code fetch or archive extraction during install.
!
Credentials
Functionally the only secret needed is a NETA_TOKEN, which is reasonable for the stated purpose. But the registry metadata incorrectly lists 'none' for required env vars/config paths while the code reads two user dotfiles for tokens. Reading those home-directory files can expose other local configuration if those files contain additional secrets; this mismatch is a proportionality/information transparency problem.
Persistence & Privilege
The skill is not always-enabled and has no special persistence or system-wide privilege requests. It does not modify other skills or global agent settings.
What to consider before installing
This skill implements the advertised functionality (it calls Neta/TalesofAI APIs and returns an image URL), but the registry metadata omitted required configuration: you must supply a NETA_TOKEN (via --token or NETA_TOKEN env var). The script will also look for NETA_TOKEN lines in ~/.openclaw/workspace/.env and ~/developer/clawhouse/.env — these file reads are documented in the README but you should confirm you are comfortable with the skill reading those paths. Before installing: (1) prefer using an environment variable or the --token flag instead of embedding other secrets in the .env files named above; (2) inspect the included blogimageclaw.js (which we reviewed) yourself; (3) avoid passing long-lived or highly privileged secrets on the command line (they may be visible to other local users in process listings); and (4) if you want strict minimal exposure, create a dedicated token with limited scope/credits for this skill. The mismatch between what the registry metadata declares and what the code actually reads is the main reason for caution.
blogimageclaw.js:43
Environment variable access combined with network send.
!
blogimageclaw.js:2
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.1.4
Download zip
latestvk9796945htvhw73ams6gmrzgm583h1kb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Blog Image Generator

Generate stunning ai blog image generator images from a text description. Get back a direct image URL instantly.

When to use

Use when someone asks to generate or create ai blog image generator images.

Quick start

node blogimageclaw.js "your description here"

Options

  • --sizeportrait, landscape, square, tall (default: landscape)

Token

Requires a Neta API token via NETA_TOKEN env var or --token flag.

export NETA_TOKEN=your_token_here

Install

npx skills add BarbaraLedbettergq/blog-image-claw-skill

Files

4 total
Select a file
Select a file to preview.

Comments

Loading comments…