Back to skill
Skillv1.0.1
ClawScan security
Image Background Remove · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 13, 2026, 11:03 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions are consistent with an image background-removal integration that calls verging.ai; it only needs curl and the VERGING_API_KEY and does not request unrelated access.
- Guidance
- This skill will send images to verging.ai for processing and requires your VERGING_API_KEY. Before installing, verify you trust verging.ai and are comfortable sending the kinds of images you will process (avoid uploading sensitive personal data). Confirm the API key is stored only where you intend (avoid shared/global environments), verify the service's pricing/credit model (it mentions 1 credit/image), and test first with non-sensitive images. The SKILL.md shows a CDN/public_url (img.panpan8.com) and a reused-sounding endpoint (/upload-video) — consider confirming those endpoints with the provider if you need assurance of data residency or provenance. If the key is compromised, revoke it from your verging.ai account.
Review Dimensions
- Purpose & Capability
- okName/description (background removal) align with declared requirements: curl and a single API key (VERGING_API_KEY) are exactly what you'd expect for a remote image-processing API.
- Instruction Scope
- noteInstructions stay within the feature scope (download remote image if needed, upload to presigned URL, create job, poll status, return result). Minor oddities: the API uses an endpoint named /upload-video and form field video_file_name for images, and the example public_url domain (img.panpan8.com) differs from verging.ai — these are implementation details that could be legitimate (CDN or reused endpoints) but are worth verifying with the service.
- Install Mechanism
- okNo install spec and no code files (instruction-only). This is low-risk: nothing is written to disk by the skill itself beyond what the runtime agent will do when executing the described steps.
- Credentials
- okOnly one credential is required (VERGING_API_KEY) plus an optional VERGING_API_URL override. That is proportionate for a third-party API integration; no unrelated secrets or system paths are requested.
- Persistence & Privilege
- okalways is false and the skill does not request to be permanently injected or modify other skills. It describes transient operations (download/upload/poll) only.