Back to skill
Skillv1.0.0
ClawScan security
Pinup Art Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 24, 2026, 12:15 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is a straightforward CLI wrapper around the Neta (api.talesofai.com) image API that requires a Neta token and otherwise does not request unrelated access or perform unexpected actions.
- Guidance
- This appears to be a simple and coherent CLI wrapper for the Neta image API. Before installing or running: (1) verify you trust the skill source/owner (npx install paths or repository provenance), (2) only provide a Neta token (do not reuse unrelated secrets), and (3) review the code locally if you plan to run it on sensitive systems. Also consider content/legal implications of generating stylized/person-based artwork (copyright and platform policy). If you want higher assurance, run the single JS file in a sandbox or inspect it line-by-line (it is short) before executing.
Review Dimensions
- Purpose & Capability
- okName/description match the implementation: the code builds a text prompt, sends it to api.talesofai.com, polls for an image URL, and prints the URL. Requiring a Neta API token (passed via --token) is appropriate for this purpose.
- Instruction Scope
- okSKILL.md and the script instruct the agent/user to call node pinupartgenerator.js with a prompt and token. The instructions and code do not read arbitrary files, environment variables, or other system state, nor do they exfiltrate data to unexpected endpoints. Progress is printed to stderr and the final image URL to stdout as documented.
- Install Mechanism
- okThere is no install spec and no downloads or extracts; the skill is instruction/code-only. The included JS file runs locally and makes outbound HTTPS calls to the documented API. No external installers or archive downloads are used.
- Credentials
- noteThe skill requires a Neta API token, which is reasonable. Metadata lists no required env vars; the token is supplied via a CLI flag (--token). This is a minor inconsistency in metadata vs. runtime usage but not a security issue. The script does not request other unrelated credentials.
- Persistence & Privilege
- okThe skill does not request always:true, does not modify other skills or system-wide settings, and has no elevated persistence requirements. It behaves as a normal, user-invoked CLI skill.