Back to skill
Skillv1.0.0
ClawScan security
Mecha Art Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 29, 2026, 3:25 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The package is internally consistent: it implements a CLI that sends a user-supplied Neta API token to the Neta/TalesOfAI image API to generate images, which matches the skill description and instructions.
- Guidance
- This skill appears coherent and only needs your Neta API token to call api.talesofai.com. Before installing or running: 1) Verify you trust the source (owner slug/ID looks like an opaque identifier) — installing packages from unknown publishers carries risk. 2) Only provide a token you control and are willing to revoke; avoid pasting long-lived secrets you use elsewhere. 3) Inspect mechaartgenerator.js (already included) before running to confirm behavior — the script sends the token to api.talesofai.com and prints the returned image URL. 4) If you install via an external installer (npx, clawhub), review what that installer will fetch and run. If any of these raise concerns, obtain a temporary/restricted token or avoid installing.
Review Dimensions
- Purpose & Capability
- okName/description claim: generate mecha art via Neta. What it actually does: a CLI (mechaartgenerator.js) that constructs image-generation requests and polls api.talesofai.com for results. Required artifacts (a Neta token passed via --token) match the stated purpose.
- Instruction Scope
- okSKILL.md instructs running the included Node script with a --token flag. The script only reads CLI args (prompt, size, ref, token) and performs network calls to the Neta API. It does not access other files, system config, or unrelated environment variables.
- Install Mechanism
- okNo install spec is present; this is instruction+code only. README suggests adding via the skills CLI or clawhub, but there is no remote download URL or installer that would write arbitrary binaries. No extract/download from unknown hosts is present in the package itself.
- Credentials
- okThe only credential required is a Neta API token (passed via --token or a shell variable). No unrelated secrets or configuration paths are requested. The script transmits that token to api.talesofai.com as expected for the service.
- Persistence & Privilege
- okThe skill does not request permanent/always-included presence and does not modify other skills or system-wide config. It runs as a user-invoked CLI and prints an image URL; autonomous invocation is allowed by default but not combined with other concerning factors here.