ClawHub
Back to skill
v1.0.0

web-ai-image-generation

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:42 PM.

Analysis

The skill appears purpose-aligned, but it needs review because it reuses and persists browser login sessions for Gemini or ChatGPT.

GuidanceInstall only if you are comfortable letting this skill control a logged-in Gemini or ChatGPT browser session. Prefer a dedicated Playwright profile and account, avoid your everyday browser profile, review the output directory, and delete the runtime profile when finished.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceMediumStatusNote
metadata
Source: unknown; Homepage: none

The package provenance is not identified. This is not malicious by itself, but it matters more because the skill handles live browser sessions.

User impactYou have less context about who maintains the code that will access your logged-in web accounts.
RecommendationReview the included script before use and install dependencies only in an environment where you are comfortable granting browser-session access.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityHighConfidenceHighStatusConcern
SKILL.md
复用浏览器 profile 中的登录态... 后续运行会自动复用该 profile 中保存的登录状态... page.request.get(),这样可以携带当前 Playwright context 的登录 cookie

The skill uses persistent browser session state and login cookies to operate third-party accounts, which is sensitive account authority even though it is part of the stated purpose.

User impactThe skill can act through your logged-in Gemini or ChatGPT session and may consume account capability, quota, or expose session-backed content to the automation context.
RecommendationUse a dedicated browser profile and, ideally, a dedicated account; do not point it at your normal browser profile, and clear the runtime profile when you no longer need the skill.