Back to skill
Skillv1.0.0
ClawScan security
Retro Travel Poster Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 23, 2026, 11:13 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions align with its purpose (generating images via the Neta/TalesOfAI API); the only minor inconsistencies are a missing declared requirement for Node and a small tooling label mismatch in SKILL.md.
- Guidance
- This skill appears to do what it says: it sends your prompt and the token you provide to the Neta/TalesOfAI image API and returns an image URL. Before installing: (1) Be aware you must run it with Node (the metadata omits this requirement); (2) only supply an API token you trust to be used by this external service—tokens will be sent as the 'x-token' header to api.talesofai.com; (3) review the included JS if you have stricter privacy/security requirements; (4) if you plan to sell generated art, review Neta/TalesOfAI terms and copyright/usage policy for commercial use and potential content restrictions.
Review Dimensions
- Purpose & Capability
- noteThe skill name/description, README, SKILL.md, and code all consistently point to using the Neta/TalesOfAI image API to generate retro travel posters. The only mismatch is that package metadata declares no required binaries, but the runtime requires Node (usage examples call `node ...`). This is a minor metadata omission rather than functional misalignment.
- Instruction Scope
- okSKILL.md tells the agent/user to run the included Node script and pass a Neta token via `--token`. The instructions do not ask the agent to read unrelated files, environment variables, or transmit data to unexpected endpoints. (Minor tooling label mismatch: SKILL.md lists 'tools: Bash' while the script is Node.)
- Install Mechanism
- okThere is no install spec (instruction-only install), and the code file is bundled directly. No third-party downloads, installers, or archive extraction are used. This presents a low install risk; the only risk is running included code locally (reviewed here).
- Credentials
- okThe skill requires a single API token provided via the `--token` flag; no other environment variables, credentials, or config paths are requested. The token is sent as an 'x-token' header to api.talesofai.com, which is expected for this functionality.
- Persistence & Privilege
- okThe skill does not request persistent/higher privileges (always:false) and does not modify other skills or system-wide configuration. It can be invoked autonomously per platform defaults, but that is normal and not combined with other red flags.