Skillv1.0.0

ClawScan security

WaveSpeedAI Nano Banana 2 Image Generation/Editing · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 2, 2026, 3:11 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions match an image-generation purpose but contain inconsistencies (it instructs use of a WAVESPEED_API_KEY and local file uploads) that are not reflected in the registry metadata, which is suspicious and needs clarification before use.
Guidance: Do not install blindly. Ask the publisher to: (1) declare WAVESPEED_API_KEY (or other credentials) in the skill metadata so you can see what secrets are required; (2) provide a verified homepage/source and a clear install instruction for the 'wavespeed' client; (3) clarify how local files are accessed and whether uploads are limited or logged. If you proceed, only use a scoped/ephemeral API key, avoid uploading sensitive images, and confirm the wavespeed.ai domain and ownership. If the publisher cannot justify the missing metadata or provide a trustworthy source, treat the skill as untrusted.

Review Dimensions

Purpose & Capability: noteThe name/description claim image generation/editing via WaveSpeed AI, which matches the SKILL.md examples (wavespeed.run, wavespeed.upload). However the registry metadata declares no required environment variables or credentials while the runtime docs explicitly reference WAVESPEED_API_KEY and an external service (wavespeed.ai). Also there is no homepage or source URL to verify the publisher.
Instruction Scope: concernSKILL.md instructs uploading local files (e.g., wavespeed.upload('/path/to/photo.png')) and sending images to WaveSpeed endpoints. That implies the agent will read local file paths and transmit image data to an external service. The instructions provide no limiting guidance about what files to upload or any safeguards; they also assume a 'wavespeed' client is available though no install is declared.
Install Mechanism: okThere is no install spec and no code files (instruction-only), which is lower-risk from an install perspective. Note: SKILL.md assumes the 'wavespeed' client library is present but does not provide an install method; this is an operational gap but not an active install risk.
Credentials: concernThe documentation shows an environment variable WAVESPEED_API_KEY is required for authentication, but the skill metadata does not declare any required env vars or a primary credential. That mismatch is problematic: the skill will need an API key to function, yet the registry claims none are required. There are no requests for unrelated credentials, but the missing declaration reduces transparency and could lead to accidental credential sharing.
Persistence & Privilege: okThe skill does not request always:true and is user-invocable only. It does not attempt to modify other skills or system-wide settings in the provided instructions.