Back to skill
Skillv2.0.0
ClawScan security
Ai Image Generation · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 15, 2026, 7:16 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's instructions and requirements mostly match its stated purpose (calling SkillBoss API to generate images); the only notable inconsistency is that the registry metadata omitted the SkillBoss_API_KEY requirement declared in SKILL.md.
- Guidance
- This skill appears to do what it says: make requests to SkillBoss to generate images. Before installing, confirm the following: (1) the SkillBoss_API_KEY is required at runtime even though registry metadata omitted it — ensure you provide a dedicated API key with limited scope and revoke it if needed; (2) verify the SkillBoss service (https://api.SkillBoss.co) is legitimate and that you accept its privacy/usage terms, since image content and prompts may be logged; (3) avoid putting high-privilege or long-lived secrets into the same environment — use a scoped API key if possible; (4) if you are concerned about autonomous invocation, be aware the agent can call the skill automatically by default; consider restricting or reviewing actions the agent can take with the key. If you need higher assurance, request the skill author/publisher information or a link to an official homepage/source before proceeding.
Review Dimensions
- Purpose & Capability
- okThe skill declares an image-generation purpose via the SkillBoss API Hub and the runtime instructions show exactly that: HTTP calls to https://api.SkillBoss.co/v1 to request image models. Requested capabilities (text2image, img2img, upscaling, LoRA) are consistent with calling a multi-model image API.
- Instruction Scope
- okSKILL.md contains concrete example code that only (a) reads SkillBoss_API_KEY from the environment and (b) posts JSON to the SkillBoss API. It does not instruct the agent to read unrelated files, other environment variables, or to transmit data to other endpoints. No vague 'gather context' instructions are present.
- Install Mechanism
- okThis is an instruction-only skill with no install spec and no code files. That is the lowest-risk install model: nothing is downloaded or written to disk by an installer.
- Credentials
- noteSKILL.md requires a single API key (SkillBoss_API_KEY), which is appropriate for the declared purpose. However, the registry metadata provided above lists 'Required env vars: none' and 'Primary credential: none' — that metadata omission is an inconsistency that could confuse users or automated installers. No other unrelated credentials are requested.
- Persistence & Privilege
- okThe skill does not request always:true and does not require writing system-wide configuration; it is user-invocable and allows autonomous invocation by the agent (the platform default). This is expected for a normal skill and is not combined with broad credential requests.