Skillv1.0.0

ClawScan security

Comic Guide Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 8, 2026, 10:25 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements, instructions, and install script are consistent with a comic-image generation tool; nothing requests excessive credentials or system privileges, but you should review the external GitHub source and be aware of copyright and install-time effects before running the installer.
Guidance: This skill appears coherent for generating AI comic PNGs. Before installing: 1) Inspect the GitHub repository referenced by the installer (https://github.com/bcefghj/comic-guide-skill) — do not run curl|bash piping into sh without review. 2) Note the registry owner (kn72...) differs from the GitHub username (bcefghj); confirm you trust that repo. 3) The installer will write files into ~/.cursor, ~/.claude, or ~/.openclaw — that's expected but verify paths if you care about where files are placed. 4) The skill's prompts explicitly target well-known copyrighted characters (Doraemon, Naruto, One Piece, Dragon Ball, Conan, Shin-chan, Ghibli, etc.); generating or distributing images in those styles may have legal or platform-policy implications. 5) If you plan to use a backend that requires API keys, provide them only to the platform/skill backend you trust (the skill itself does not request env vars). 6) When supplying <source> values, avoid pointing to sensitive local files or URLs you don't intend to share, since the skill will read the content you provide.

Review Dimensions

Purpose & Capability: okThe name/description (generate AI comic PNGs from docs/code) matches the SKILL.md workflow (content analysis → prompts → AI image generation). It references platform image-generation tools (Cursor GenerateImage, baoyu-imagine, image-gen) which is appropriate for this purpose. No unrelated environment variables, binaries, or config paths are requested.
Instruction Scope: okRuntime instructions are limited to reading the provided <source> (file/URL/text), producing analysis/storyboard/prompts, and invoking an image generator. The SKILL.md does instruct reading user-supplied files or URLs (expected for converting content) but does not instruct reading unrelated system files or exfiltrating data to other endpoints. Prompts and templates are fully contained in the repository.
Install Mechanism: noteAn included install.sh downloads the repository from GitHub (https://github.com/bcefghj/comic-guide-skill) using git/curl/wget and copies SKILL.md, references, and examples into ~/.cursor/.claude/.openclaw locations. Downloading from GitHub is a common pattern and lower risk than arbitrary hosts, but it does write files into user skill directories. Review the remote repo before running the installer.
Credentials: okThe skill declares no required environment variables or credentials. The README correctly notes that certain image backends/platforms may require API keys (e.g., Claude/OpenClaw image backends), which is reasonable and expected; the skill itself does not directly ask for credentials.
Persistence & Privilege: okSkill does not request always:true and is user-invocable. The install script writes files into the user's skill directories (normal for installing a skill). It does not modify other skills' config or request elevated system privileges.