Skillv1.0.0

ClawScan security

fame graphic · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 8:40 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly matches its stated purpose (generating images via the OpenAI Images API) but contains inconsistencies (undocumented required env vars, duplicated files, a Node package.json alongside a Python script) and a minor risk that a custom API base could be repointed for exfiltration — review before installing or running.
Guidance: What to check before installing or running this skill: - The SKILL.md and script require an OpenAI API key (OPENAI_API_KEY or --api-key). The registry metadata did not declare this — treat that as an oversight and only supply a key with appropriate (limited) permissions or use a throwaway key. - The script honors OPENAI_BASE_URL / OPENAI_API_BASE. If those environment variables are set in your environment, the script will send prompts and your API key to whatever host they point to. Ensure those vars are trustworthy or unset them before running. - The package contains a Python script but also a Node package.json (likely unnecessary). This packaging mismatch is sloppy; review the included scripts/illustrate.py yourself to confirm behavior (it is readable and sends HTTP POST requests to an images/generations endpoint and writes files locally). - The manifest lists files twice — this is likely a packaging error but worth noting. - Run the script in an isolated environment (no sensitive env vars present), or inspect/edit the code to harden API base handling before use. If you are uncomfortable, don't provide your primary OpenAI key — create a limited test key or run in a network-restricted environment. If you want, I can point out the exact lines in scripts/illustrate.py that perform network requests and file writes, or produce a short checklist to safely run the skill.

Review Dimensions

Purpose & Capability: noteThe name/description and the included Python script align: the code builds prompts and posts to an OpenAI Images endpoint to generate illustrations. However, package.json declares a Node engine and lists SKILL.md as the main file while the implementation is Python — this is an odd packaging mismatch and likely unnecessary. The skill manifest also did not declare the OPENAI_API_KEY env var even though SKILL.md and the script require it.
Instruction Scope: noteSKILL.md's runtime instructions are narrowly scoped to running the included Python script and supplying an OpenAI API key (or --api-key). It does reference local paths (~/Projects/agent-scripts/skills/creative-illustration/scripts/illustrate.py and a default ~/Projects/tmp output dir) which may not exist on the host — these are convenience examples but could reveal assumptions about the user's home layout. The instructions do not request other unrelated files or secrets.
Install Mechanism: okNo install spec is provided (instruction-only behavior), and the only code is a Python script included in the bundle. There are no downloads or external installers. The duplication of files in the manifest (SKILL.md, package.json, scripts/illustrate.py each listed twice) is sloppy but not inherently malicious.
Credentials: concernThe skill requires an OpenAI API key (SKILL.md: OPENAI_API_KEY and the script accepts --api-key), but the skill registry metadata did not list any required env vars — that's an inconsistency that should be corrected. The script also honors OPENAI_BASE_URL / OPENAI_API_BASE to change the API base: while useful for enterprise proxies, this lets a configured base be repointed to an arbitrary endpoint, which could be used to collect prompts/keys if set by an attacker or misconfigured environment. Only an OpenAI API key (and optional API base override) appears necessary; no other credentials are requested.
Persistence & Privilege: okThe skill does not request persistent or elevated platform privileges (always:false). It writes output files to a local out-dir but does not attempt to modify other skills or system configuration. Autonomous invocation is enabled by default (platform default) but there is no always:true or other escalated persistence.