Back to skill
Skillv2.1.0
ClawScan security
Wallpaper Claw Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 27, 2026, 4:05 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requirements align with its stated purpose (generating wallpapers via the Neta/talesofai API); it asks only for a user-provided API token and makes network calls to the API host noted in the docs.
- Guidance
- This skill appears coherent and limited to generating images via the Neta/talesofai API, but a few practical precautions: (1) Only use a token you obtained from the service you trust (neta.art / talesofai). (2) The script expects the token on the command line (--token), which can be exposed in process listings or shell history — avoid exposing sensitive tokens this way (consider wrapping the script to read the token from a protected environment variable or prompt). (3) The code will send whatever prompt and optional reference UUIDs you provide to api.talesofai.com; do not include sensitive or private data in prompts. (4) Because the skill comes from an unverified/unknown source, inspect the repository or run the script in a controlled environment before granting it broader use. Overall there are no disproportionate permissions or hidden behaviors detected.
Review Dimensions
- Purpose & Capability
- okName/description describe an image-generation helper that calls the Neta/talesofai API; the included scripts only contact https://api.talesofai.com and return image URLs. There are no unrelated credentials, binaries, or system accesses requested.
- Instruction Scope
- okSKILL.md instructs running the provided node script and passing a Neta API token via --token. The runtime instructions and the code operate only on prompts, optional reference UUIDs, and the API token; they do not read or transmit local files, unrelated env vars, or other system configuration.
- Install Mechanism
- okNo install spec or external downloads are used; this is an instruction+code bundle the agent would run locally. There is no URL-based installer, no extracted archives, and no package registry installs declared in the skill metadata.
- Credentials
- okThe skill requires a single API token supplied at runtime via --token (not via environment variables). No other secrets, cloud credentials, or unrelated env vars are requested.
- Persistence & Privilege
- okalways:false and user-invocable:true. The skill does not attempt to modify other skills or agent-wide configs and does not request permanent presence or elevated privileges.