Blog Image Claw Skill
PassAudited by ClawScan on May 1, 2026.
Overview
This skill appears to do what it advertises—generate blog images through the disclosed Neta/TalesofAI API—but users should handle the required token and external prompt sharing carefully.
Before installing, confirm you trust the package source and the Neta/TalesofAI service. Use a dedicated or limited token if possible, avoid exposing the token in shared command logs, and keep confidential blog text out of prompts unless provider sharing is acceptable.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The script can use the user's Neta token to submit image-generation jobs, which may consume account quota or expose the token if copied into shared logs or chats.
The skill requires a service credential and shows passing it to the script. This is expected for a Neta image-generation integration, but it grants use of the user's Neta account/quota and is under-declared in the registry metadata.
Requires a Neta API token... node <script> "your prompt" --token "$NETA_TOKEN"
Use a limited or dedicated token if available, avoid sharing command transcripts containing secrets, and rotate the token if it may have been exposed.
Private draft text or sensitive details included in prompts may be sent to the image provider.
The user's prompt is sent to the external TalesofAI API. This is disclosed and purpose-aligned, but prompt/blog content becomes provider-shared data.
rawPrompt: [{ type: "freetext", value: prompt, weight: 1 }], ... fetch("https://api.talesofai.com/v3/make_image", {Do not include confidential blog content or private details in prompts unless you are comfortable sending them to Neta/TalesofAI.
It may be harder to verify the maintainer, update history, or authoritative source before installing.
The artifacts include readable source and no dependency install chain, but the package provenance is not fully documented in the registry metadata.
Source: unknown Homepage: none
Install only from a trusted registry/source and review the exact versioned files before providing a token.