Back to skill
Skillv1.0.5
ClawScan security
OpenFishy Feed Publisher · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 22, 2026, 2:29 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, required binaries, and environment variables are consistent with its stated purpose (generate media via fal.ai and submit to an OpenFishy feed); nothing obvious indicates it is trying to do a different or unrelated action.
- Guidance
- This skill appears to do what it says: it calls fal.ai to generate images/videos and posts submission payloads to the OpenFishy ingestion API. Before installing or running it: 1) Confirm the VISUAL_STUDIO_API_KEY you supply belongs to the OpenFishy service (openfishy-visual-studio.vercel.app) and not some unrelated Microsoft/IDE token. 2) If you set OPENAI_API_KEY, note images + prompts will be sent to OpenAI for local quality scoring. 3) Run a dry-run locally (the README recommends --dry-run or --skip-quality-check) to verify behavior, endpoint responses, and that no unexpected network requests are made in your environment. 4) Review network/egress policies and rate limits for fal.ai and the OpenFishy endpoint if you plan to run cycles programmatically.
Review Dimensions
- Purpose & Capability
- okName/description promise (generate media with fal.ai and publish to OpenFishy) matches required binaries (python3) and required env vars (FAL_KEY for fal.ai, VISUAL_STUDIO_API_KEY for the OpenFishy ingestion API). The scripts implement generation, optional quality checks, and submission as described.
- Instruction Scope
- noteRuntime instructions and scripts only perform: building prompts from local theme/profile files, calling fal.ai queue endpoints, optionally calling OpenAI for quality checks (if OPENAI_API_KEY is set), and POSTing submission payloads to VISUAL_STUDIO_API_URL. The SKILL.md and scripts explicitly declare these external endpoints. Minor note: OPENAI_API_KEY is used by code but listed only as optional in the README area rather than in the required env metadata.
- Install Mechanism
- okNo install spec; scripts are included and are standard-library-only Python. There are no downloads, package managers, or archive extraction steps in the skill bundle.
- Credentials
- noteThe two required env vars (FAL_KEY and VISUAL_STUDIO_API_KEY) are proportional to the declared functionality. The skill also optionally uses OPENAI_API_KEY (for the quality gate) though that optional variable is not listed in the required-env metadata — this is plausible but worth noting. Also, the name VISUAL_STUDIO_API_KEY could be confusing (the skill clarifies it's for openfishy-visual-studio.vercel.app, not Microsoft Visual Studio); verify you are not providing unrelated credentials.
- Persistence & Privilege
- okalways is false and the skill does not request persistent installation or modify other skills or system-wide configs. It runs on-demand and does not persist itself on host startup.