This skill appears to do what it says (call Neta to generate images), but there are a few red flags you should consider before installing: - The packaged script requires a NETA_TOKEN but the skill metadata does not list any required env vars. Treat this as an omission and assume you must provide your Neta API token to use it. - The script will try to read NETA_TOKEN from two local .env files (~/.openclaw/workspace/.env and ~/developer/clawhouse/.env). If you keep other secrets in those files, consider moving them or avoid relying on implicit file reads. Review the code to ensure it only extracts NETA_TOKEN. - Documentation and code disagree on the API base env var name (README mentions NETA_API_BASE_URL; the script uses NETA_API_URL). That mismatch can cause unexpected network calls if you try to customize endpoints. Confirm which env var to set or update the script/docs. - Network endpoints contacted appear limited to the Neta/talesofai API (api.talesofai.com). If you are uncomfortable, run the script in a sandbox or inspect/execute it locally with a throwaway token first. Actions you can take: inspect the bundled blogimageclaw.js yourself (it is included), verify it only reads the indicated files and only sends data to the Neta endpoints, and ask the publisher to update registry metadata to declare NETA_TOKEN and fix the README/env-var mismatch. If you store other secrets in the .env files the script reads, remove or isolate them before use.

These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.