Skillv1.0.0

ClawScan security

Logo Creator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 13, 2026, 1:31 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally coherent for generating minimalist logos: it is an instruction layer that formats a prompt and delegates to a core image-generation primitive; nothing in the included files requests unrelated credentials or elevated privileges.
Guidance: This skill appears to be a thin 'expert prompt' layer that builds a logo brief and calls a local core primitive (core/media/generate-image.sh). Before installing, verify the behavior of that core script: confirm whether it calls external services (muapi/Flux) and how it handles and transmits prompt contents and any brand data (privacy). The SKILL.md references muapi.ai while the script uses model 'flux-dev' — ask the publisher which service is actually used and whether API keys or data will be sent to an external endpoint. Also review the core script for network calls or credential use; if you cannot inspect core/media/generate-image.sh in your environment, treat the skill as requiring trust in that primitive. Functionally low-risk, but verify external-image-generator integration and data-handling policies before use.

Purpose & Capability: noteThe name/description promise (logo generation via muapi.ai) generally matches the files: SKILL.md defines logo design rules and the script constructs an expert prompt. Minor inconsistency: the description mentions muapi.ai but the script invokes a local core/media/generate-image.sh with model 'flux-dev' rather than directly calling muapi.ai. That could be harmless (the core primitive may talk to muapi/Flux) but it's unexplained.
Instruction Scope: okSKILL.md and the script stay on-task: they ask the agent to refine a brand brief, constrain style, and then call the core image generator. The instructions do not read unrelated files, environment variables, or send data to unexpected endpoints within the provided files.
Install Mechanism: okNo install spec is present and the only code is a small shell script. Nothing is downloaded or written to disk by an installer — lowest-risk install posture.
Credentials: okThe skill declares no required env vars, credentials, or config paths and the script does not access any secrets. There are no disproportionate credential requests.
Persistence & Privilege: okalways:false and default invocation settings are used. The skill does not request permanent presence or modify other skills or system-wide settings.