Skillv1.0.3

ClawScan security

Sih.AI Photo Changer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 13, 2026, 10:18 AM

Verdict: Review
Confidence: high
Model: gpt-5-mini
Summary: The skill's functionality (image editing via a remote API) matches its description, but it contains a hard-coded API token and sends user images to an external endpoint that isn't documented in SKILL.md — this is disproportionate and raises privacy/credential concerns.
Guidance: This skill will upload images (including local files you point it at) to a third-party service using an API key embedded in the script. Consider the following before installing or running it: - Do not run the script with sensitive or private images until you confirm where data is sent and who controls the API account. The embedded key means images will be processed under someone else's account. - Ask the maintainer to remove the hard-coded API token and require users to provide their own key (e.g., via an environment variable). Preferably, the SKILL.md should document the exact API host and data handling/privacy behavior. - If you already ran the script with your images, assume those images were transmitted to api.vwu.ai and review privacy implications. If you are the owner of the exposed token, rotate it immediately; if not, notify the service owner. - If you need this functionality but want to avoid third-party exposure, request a version that uses a user-provided API key and clearly documents where data is sent and retained. Given the hard-coded credential and lack of endpoint disclosure, treat this skill as suspicious and proceed only after the maintainer addresses these issues.
Findings: [hardcoded_api_token_in_code] unexpected: The script contains a bearer token literal (API_TOKEN = "sk-w4YfLv..."). For an image-editing client, user-supplied credentials via env/config should be expected; a hard-coded key is unexpected and risky. [undisclosed_remote_endpoint] unexpected: SKILL.md does not disclose the endpoint used. The code posts images to https://api.vwu.ai/v1/images/generations/, which is not documented in the human-readable instructions and may not match the 'Sih.AI' branding in the description.

Review Dimensions

Purpose & Capability: noteThe code and SKILL.md implement image editing via a remote API, which matches the described purpose. However the script calls https://api.vwu.ai while the description refers to 'Sih.AI', and a bearer token is embedded in the code rather than declared as a user-provided credential. That mismatch and embedded credential are unexpected for a simple integration.
Instruction Scope: concernSKILL.md instructs the user to run scripts/image_gen.py and describes converting local files to Base64 and calling an API, but it does not name the actual API host or reveal that local images will be uploaded to an external service using a hard-coded token. Transmitting local image files (including potentially sensitive images) to an undocumented external endpoint is a privacy risk and should be disclosed explicitly.
Install Mechanism: okThere is no install spec (instruction-only skill with an included script). That minimizes install risk. The script requires the 'requests' library but no installation instructions are provided — minor usability issue but not a direct security problem.
Credentials: concernThe skill requests no environment variables, yet the script contains a hard-coded API token (API_TOKEN = "sk-..."). A legitimate design would require the user to supply their own API key via an env var or config; embedding someone else's secret in code is disproportionate and suspicious because it gives the remote service access to all images processed and could allow abuse of that account.
Persistence & Privilege: noteThe skill is not 'always' and does not request system-wide privileges. However, because it can be invoked normally by the agent, autonomous invocation would allow the agent to send images to the remote endpoint using the embedded token. Autonomous invocation combined with the hard-coded credential increases the blast radius and privacy risk.