Back to skill
Skillv1.0.0
ClawScan security
Manga Panel Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 14, 2026, 3:59 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files and runtime instructions match its stated purpose (calling the Neta/TalesOfAI image API to generate manga panels) and do not request unrelated credentials or system access.
- Guidance
- This skill appears internally coherent: it simply sends prompts and a user-supplied token to the Neta/TalesOfAI API and prints an image URL. Before installing, confirm you trust the external provider (api.talesofai.com / neta.art), because your token and prompt text will be sent to that service. To reduce exposure, avoid putting the token directly on the command line on multi-user systems (use an environment variable or a shell variable expansion as shown). If you need stronger assurance, review the network calls yourself or run the script in an isolated environment. The source/publisher is unknown, so if you require provenance guarantees prefer an officially published client or review the repository history before using with sensitive prompts or secrets.
Review Dimensions
- Purpose & Capability
- okName/description, README, SKILL.md, and the included mangapanelgenerator.js all consistently implement an image-generation client that talks to api.talesofai.com (Neta). No unrelated services, binaries, or credentials are requested.
- Instruction Scope
- noteSKILL.md and the script instruct running node with a --token flag and optional flags (--size, --ref). The instructions and code only perform API calls to api.talesofai.com and return the image URL. Note: passing secrets on the command line can expose them in process lists or command history; the README shows expanding a shell variable which is a safer alternative.
- Install Mechanism
- okNo install spec is included in the registry entry (instruction-only install). The package contains a small JS script and package.json; there are no downloads from untrusted URLs or extract/install steps.
- Credentials
- okNo environment variables or other credentials are required by the registry metadata. The script requires a single API token passed at runtime (--token) which is appropriate and proportional to contacting the external image service.
- Persistence & Privilege
- okThe skill is not always-enabled, does not request elevated or persistent system privileges, and does not modify other skills or global agent configuration.