Skillv2.1.0

ClawScan security

Image Prompt · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 19, 2026, 12:14 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and instructions match its stated purpose: it generates, enhances, and stores image prompts locally and does not request credentials or perform network operations in the provided files.
Guidance: This skill appears to be a straightforward, local prompt generator and manager. It stores prompts and a usage log under ~/.image-prompt (or the path you set in IMAGE_PROMPT_DIR) — review those files if you are concerned about sensitive content being saved. No credentials or network endpoints were found in the provided files, but if you rely on the translate command or any later edits to the script, double-check the full script for any network calls (curl/wget/ssh) before installing. As always, inspect the included script yourself if you want to be certain there are no unexpected remote calls or modifications.

Purpose & Capability: okName/description (image prompt generation and enhancement) align with the included script and SKILL.md. The script implements word banks, style presets, prompt generation/enhancement, saving, listing, and logging — all expected for this utility. No unrelated credentials, binaries, or cloud access are requested.
Instruction Scope: okSKILL.md and the script operate on local data and print prompts; they reference only the declared local data directory (IMAGE_PROMPT_DIR / $HOME/.image-prompt). Commands and file accesses in the script are limited to creating/reading/writing the prompts file and history log. I saw no instructions that read unrelated system files or access external endpoints in the provided content.
Install Mechanism: okNo install spec is present (instruction-only style plus a bundled script). Nothing is downloaded or written outside the user's data directory by the script. This is the lower-risk pattern for skills.
Credentials: okThe skill requires no environment variables or credentials; it optionally honors IMAGE_PROMPT_DIR to change the local data path. That is proportionate to a local prompt-management tool.
Persistence & Privilege: okThe skill does not set always: true and does not request elevated privileges. It writes only to its own data directory (~/.image-prompt by default) and does not modify other skills or system-wide agent settings in the visible code.