Back to skill
Skillv1.0.0
ClawScan security
Food Photography Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 28, 2026, 2:49 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill behaves as described: it takes a Neta API token via a --token flag and calls api.talesofai.com to generate images; there are no unrelated credentials, obscure install steps, or persistence demands.
- Guidance
- This skill appears coherent and limited in scope, but you should: (1) only provide your Neta/TalesOfAI token if you trust that service; (2) avoid embedding tokens in logs or shared scripts (use shell variables when possible); (3) inspect the included script before running if you have concerns (it is short and readable); (4) ensure your Node version supports global fetch or run in an environment that does; and (5) review the API provider's terms and privacy policy if you will send proprietary images or prompts.
Review Dimensions
- Purpose & Capability
- okName/description, README, SKILL.md, and code all consistently implement an image-generation tool that calls the Neta/TalesOfAI API. The only credential required is an API token supplied at runtime via --token, which is appropriate for this purpose. No unrelated services, binaries, or config paths are requested.
- Instruction Scope
- okRuntime instructions tell the user to run the included node script with a prompt and --token. The script only reads CLI args and contacts the documented API endpoints; it does not read environment variables or local files. Instructions are narrow and constrained to the stated task.
- Install Mechanism
- okNo install spec is present in the registry (instruction-only), and the package contains a small JS script and package.json. There are no downloads from unknown URLs or archive extraction steps. The README's suggested installation via npx/clawhub is just the normal skill installation flow.
- Credentials
- okNo environment variables or credentials are declared in registry metadata; the tool requires a single API token provided on the command line. That is proportionate to calling a hosted image-generation API. The code does not attempt to read other env vars or files.
- Persistence & Privilege
- okThe skill does not request always:true, does not modify other skills or global config, and has no persistent background components. Autonomous invocation is allowed (the platform default) but the skill itself is not granted extra privileges.