ClawHub
Back to skill
v1.0.0

Visual Prompt Engine

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:48 AM.

Analysis

This skill appears benign: it generates image prompts using local reference data and optional Dribbble collection, with disclosed local history and optional automation to notice.

GuidanceThis skill looks appropriate for generating image prompts. Before installing, be aware that its helper scripts can fetch public Dribbble data and write local JSON files, and that prompt history may persist locally. Verify the package source before running scripts or optional dependencies, and only enable the daily cron refresh if you want ongoing background updates.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
metadata
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill. Code file presence: 2 code file(s)

The registry context provides limited provenance while the skill includes runnable helper scripts. This is a provenance note, not evidence of malicious behavior.

User impactIf you run the included scripts, you are trusting code from a package with limited registry provenance.
RecommendationReview the scripts and source location before running them, and install only from a trusted ClawHub or repository source.
Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
Browse `https://dribbble.com/shots/popular` with a browser tool (Camofox, Playwright, etc.)... Alternative: RSS/HTML (may be blocked by WAF)

The skill may direct the agent to use browser or scraping tools to collect public design references. This is central to the skill's purpose, but it involves third-party web access and should remain user-directed.

User impactYour agent may make web requests or browser visits to Dribbble from your environment.
RecommendationUse this collection workflow only when you want it, keep request counts modest, and respect the target site's terms and access limits.
Rogue Agents
SeverityLowConfidenceHighStatusNote
SKILL.md
Automation (Optional) Set up a daily cron to refresh visual references

The documentation describes optional recurring refresh automation. It is not installed automatically in the artifacts, but enabling it would create ongoing background activity.

User impactIf you set up the cron job, the skill may periodically fetch references and update local data without a new prompt request.
RecommendationOnly enable the cron job if you want recurring refreshes, and document where it runs and which files it updates.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityLowConfidenceHighStatusNote
SKILL.md
Check against recent prompts in `data/prompt_history.json` to prevent repetition; Append the new prompt to history

The skill keeps a local prompt history and reuses it across future prompt-generation tasks. This is disclosed and purpose-aligned for deduplication, but it is persistent context.

User impactImage prompt text, and potentially parts of user creative requests, may remain in a local history file and influence later outputs.
RecommendationAvoid using highly sensitive prompt content with this skill, or periodically clear `data/prompt_history.json` if you do not want prior prompts reused.